Digital assistants help us look up the weather, play our favorite music, and allow us to quickly access a lot of our personal information. And between Amazon Alexa, Google Home, and Microsoft Cortana – these services have become all the rage these days. However, the latter service, according to the McAfee Labs Advanced Threat Research (ATR) team, can be easily compromised, which is why the team has submitted a vulnerability to Microsoft which involves the default settings for Windows 10 and the Cortana voice assistant. The vulnerability can be used to do things such as retrieve information from Cortana, start an application from the Windows lock screen, and even log into a Windows 10 device without a user interacting with the computer.
To understand how someone can take advantage of this vulnerability, imagine you are sitting at your favorite coffee shop and need to use the restroom. As a security-minded individual, you lock your computer’s screen thinking that would keep bad people from accessing your information. With this vulnerability, all someone would have to do is say, “Hey Cortana,” then follow a few simple steps to gain access to the treasure trove of information, no reboot required.
By taking advantage of this vulnerability, McAfee researcher Cedric Cochin discovered that by simply typing while Cortana starts to listen to a request or question on a locked device, he could bring up a search menu. Cochin didn’t even have to say anything to Cortana, but simply clicked on the “tap and say” button and started typing in words. At that point, he could hover over search results, which included documents and other files, and see where they led to on that computer. What’s more – he was able to take it a step further and figured out a way to access certain confidential files and information.
Though there are limitations to what cybercriminals could do, there are ways they can get the right file results to show up, which have been outlined in our McAfee Labs blog post on this topic. By leveraging one of these techniques, cybercriminals could use this vulnerability to take malicious actions such as resetting passwords on a Windows 10 computer, even though the device is technically locked. In only a few seconds, an attacker has full access to a computer.
With the discovery of this vulnerability, the next question is – what can I do to not be a victim of this? Start by following these security tips:
- Don’t leave your computer unattended. It’s important to note that this vulnerability is completely dependent on physical access to a Windows 10 computer with Cortana. Now that this vulnerability has been disclosed it’s important that you keep a close eye on your computer until you apply the update from Microsoft.
- Apply updates immediately. The good news is – today is Patch Tuesday! And fortunately the update that Microsoft is rolling out today has a fix for this vulnerability to protect your Windows 10 computer. Be sure to update your computer immediately.