- Report: Florida man raped Texas teen after posing as Instagram celeb Today 12:14 PM
- Lori Loughlin’s daughters, Olivia and Isabella, could be banned from USC forever Today 11:46 AM
- ‘Starfish’ is a heartbreaking tale of BFFs, grief, and apocalyptic alien invasions Today 10:35 AM
- How to stream UFC Fight Night 148 for free Today 10:00 AM
- The kids are making scantron memes instead of studying Today 9:29 AM
- Every installment of Hulu’s ‘Into the Dark,’ ranked Today 6:00 AM
- The internet is mocking Robert Mueller’s report deadline Friday 7:53 PM
- Instagram blocks some anti-vax hashtags—but still has far to go Friday 6:20 PM
- Study: Netflix released more originals than licensed titles last year Friday 2:26 PM
- Laura Ingraham, Dinesh D’Souza slam journalist for having a job Friday 1:40 PM
- Netflix is testing a cheap-as-hell mobile-only plan Friday 1:08 PM
- Astrology app Co-Star’s bizarre push notifications are now a meme Friday 12:18 PM
- ‘The Dirt’ offers a sanitized history of Mötley Crüe—but why? Friday 11:42 AM
- ‘The Dirt’ director Jeff Tremaine on Mötley Crüe’s long, difficult road to Netflix Friday 11:30 AM
- Here’s video of yet another alleged gunman looking for YouTuber Adam22 Friday 11:09 AM
Ajibola Okubanjo/Flickr (CC-BY)
Microsoft has resolved the issue, but more could be on the way.
Researchers discovered a way to bypass the Windows lock screen and infect a computer with malware using voice-commands via the Cortana virtual assistant.
First reported by Motherboard, independent researchers Tal Be’ery and Amichai Shulman noticed Cortana, which comes preinstalled on Windows 10, listens and responds to certain voice commands even after a computer goes to sleep. It does enough to let someone with physical access insert a USB drive and run malicious software.
Using voice commands, hackers can tell Cortana to open a web browser and pull up an unprotected webpage, or one that doesn’t encrypt web traffic. The USB network adapter then listens in and redirects the computer to another malicious website where malware downloads onto the system. All of this happens while the passcode-protected computer innocently displays its lock screen.
That’s not all. The hacker can then connect the computer to their Wi-Fi network by simply clicking on it, even when the machine is locked. Once a hacker gains control, they can use the computer to remotely spread malware to other nearby machines connected to the same local network. They do this by playing a sound file on the first infected computer that tells those machines to access a certain website. For example, it might say “Hey Cortana, go to Microsoft.com.” Using a proxy called Newspeak, the hackers can intercept all commands sent from nearby computers and redirect them to malicious sites.
You can get an idea of how a locked computer can be accessed via Cortana from this YouTube video Motherboard unearthed.
Microsoft fixed the vulnerability after the researchers informed them of the issue. Be’ery and Shulman told Motherboard that Cortana still responds to certain commands when locked, and they’re researching if other vulnerabilities exist.
We’ve seen hackers take over machines by infecting wireless accessories, like a keyboard or mouse. But the only incident we’re familiar with that involves voice assistants requires advanced techniques. In September, Scientists from China’s Zheijiang University published research demonstrating the use of ultrasonic, or inaudible high-frequency sounds, to break into voice assistants like Siri, Alexa, or Cortana. It’s an interesting technique, but not a viable method for most hackers.
The issue that plagued Windows machines is much more alarming and proves that even the latest technologies create new security vulnerabilities for hackers to exploit.
Phillip Tracy is a former technology staff writer at the Daily Dot. He's an expert on smartphones, social media trends, and gadgets. He previously reported on IoT and telecom for RCR Wireless News and contributed to NewBay Media magazine. He now writes for Laptop magazine.