Industry News

Windows 10 flaw allowed attackers to open malicious websites… even if your PC was locked

You may think your Windows 10 computer is locked, but is it really?

Israeli researchers Tal Be’ery and Amichai Shulman have discovered a way of just using voice commands to make locked Windows 10 computers visit a website under the control of malicious hackers… and potentially install malware.

The problem lies in Cortana, the voice assistant that Microsoft built into Windows 10. As Apple, for instance, has learnt to its cost on numerous occasions with Siri, unless properly controlled voice assistants can be a potential weakness on modern devices, opening opportunities for unauthorised users to perform functions from the lock screen.

As the researchers tell it, a malicious hacker could sit at a locked Windows 10 PC and insert a USB network adaptor. With that in place, a hacker can simply give a verbal command to Cortana to open the web browser and head to an unencrypted HTTP webpage.

The adapter inserted into the USB drive intercepts the request, but redirects the browser to a malicious webpage instead.

A YouTube video demonstrates the exploit in action:

As Motherboard explains, with one computer infected in an organisation there exists the possibility for an attacker to spread laterally to other computers on the same network, stealing information surreptitiously.

Why does Cortana continue to listen for commands when a Windows 10 PC is locked? Well, your guess is good as mine – but this is clearly a potential problem, especially when you consider that many will not have bothered to train their PC to only obey a single user’s voice.

For that reason, I recommend users disable voice commands entirely when the PC is locked. You want to talk to your computer? Take a few seconds to unlock it first.

The truth is that when someone has physical access to your computer, even if you have or locked it, it may only take them a minute or so to install malicious code. Even if you have logged off and turned off the power, there’s still the potential for a criminal to go into your BIOS and tell the computer to temporarily boot up from a USB stick containing malware.

When you come back five minutes later you really have no clue what’s been happening in your absence.

The vulnerability was responsibly disclosed to Microsoft, and has already patched the described attack by taking browser-based commands directly to the Bing search engine.

However, as there remains the potential for Cortana to execute other commands that could perhaps be hijacked by an attacker, I find myself asking once again whether voice assistants are really that useful for the majority of us. Do the benefits of a a voice assistant outweigh the risks?

All I can tell you is that, on my technology devices, I disable voice assistants wherever possible. Sometimes “progress” comes at a price – you may be wise to weigh up just how much “progress” you’re making before you pay dearly.

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.


Click here to post a comment