Critical flaw in Cortana allowed access to sensitive files in locked devices
Threats / Critical flaw in Cortana allowed access to sensitive files in locked devices
15 June 2018
A critical security vulnerability in Cortana allowed anyone with physical access to a computer to access data stored on the computer, to execute malicious code, and to retrieve confidential information straight from the lock screen.
Patched by Microsoft earlier this week, the vulnerability allowed users to interact with Cortana even when a computer was in locked mode, thereby allowing even strangers to use various voice commands to explore data stored in the system.
Third party access to locked devices
The vulnerability was uncovered by Senior Principle Engineer at McAfee Cedric Cochin who noted in a blog post that a user could not only search for data stored inside a computer, but could also create a contextual menu displayed on a locked Windows 10 device.
According to Cochin, when a user poses a question to Cortana even when a device is locked, Cortana brings up results from indexed files and applications, and that for some applications the content of the file is also indexed. In Windows 10 devices, the entire user folder structure is indexed, which includes the default location for most documents but also for mappings like OneDrive, and this helps a user to view not only the full path of a file, but also its contents.
“Armed with this knowledge, you can use your imagination to come up with specific keywords that could be used to start harvesting confidential information from the locked device,” he added.
“We’re seeing yet another reminder of the potential security and privacy risks of our technology-driven and always-connected world. This instance reminds me of the previous Siri hack allowing attackers to unlock an iPhone by activating a task on the device,” said Larry Trowell, associate principal consultant at Synopsys.
“In the case of Cortana, the CVE allows users to access the search feature of the operating system. The smart assistant is pretty much just the vector by which to access the search feature. These assistants are given the same (and in some cases more) access to the system as users. The use of this feature by users and attackers while the system is locked hasn’t been completely thought through, as we can easily see from the Cortana situation.
“While a fix for the vulnerability has been issued, there are still other areas in which these assistants can be used to carry out an attack. For example, I see no reason why the dolphin attacks (that came to light last year) triggering cell phone smart assistants to call numbers and launch apps couldn’t be modified to attack a distracted user. The software is neat, interesting, and fun to use. It also opens up a lot of areas that possibly haven’t been thought through properly,” he added.
Lane Thames, senior security researcher at Tripwire, said that from an application perspective, the exposure is huge compared to a traditional application such as email or web browsing, and this is due to the “smart assistance” provided by this technology.
“Almost by definition, an assistant has to perform all kinds of functionality, even functionality that we haven’t implemented yet. All of these assistant technologies such as Cortana, Alexa, and Google Home, generally speaking, have very limited “smartness” local to the device. Instead, the smartness comes from the service’s backend cloud that uses technologies such as Big Data, Artificial Intelligence, Machine Learning, massive search databases, etc. This is where the functionality of the assistant comes from,” he added.