Black Hat: Windows 10 and the Cortana vulnerability

[German]At the current Black Hat conference in Las Vegas, security researchers showed how easy it was to use Cortana ito bypass security functions under Windows 10. Microsoft has closed (come of) the vulnerabilities. 


Advertising


That wizards like Siri, Google Now or Cortana are good for all kinds of surprises of the negative kind, has been shown in several cases – I had already addressed it in various German blog posts. In my German blog post Cortana: Interesse bei Unternehmen, aber Sicherheitslücke I mentioned also a vulnerability discovered in Windows 10, where Cortana can be misused for criminal purposes using PowerShell even when the system is locked. However, the vulnerability (CVE-2018-8140) was closed with the June 2018 patchday.

Cortana as Open Sesam

Under the title Open Sesame: Picking Locks with Cortana the CVE-2018-8140 vulnerability (see announcement here) was addressed again by a team from the Technion Israel Institute of Technology led by Professor Amichai Shulman. The security researchers had asked themselves how the language assistants in devices affect security in corporate environments.

Microsoft Cortana is used on mobile and IoT devices, but also on corporate computers, because it is enabled with Windows10 by default and is always ready to respond to user commands, even when the machine is locked. Interacting with a locked machine is a dangerous architectural decision. Early in 2018, security researchers discovered the Voice of Esau (VoE) exploit for a Cortana vulnerability. The VoE exploit allowed attackers to take over a locked Windows10 machine by combining voice commands and network functions to deliver a malicious payload to the affected machine.

At the Blackhat conference security researchers demonstrated how a powerful vulnerability in Cortana allows attackers to take over a locked Windows machine and execute arbitrary code. By exploiting the ‘Open Sesame’ vulnerability, attackers can view the content of sensitive files (text and media), browse any website, download and execute any executable files from the Internet, and may be granted elevated privileges.

German site heise.de has published this article with some details. After activating Cortana (“Hey, Cortana?”) it is sufficient to press any key on the keyboard. The search dialog of the operating system opens and shows, for example, preview images of photos or text documents. All this happens, mind you, on a locked Windows 10 screen.


Advertising

If a USB stick is connected to the system, an executable file can be searched via Cortana and started with a simulated click. A query of the user account control can be bypassed if necessary (keyword: UAC Bypassing). This opens up the possibility of selecting and starting malware via the search function in order infect the locked system.

Alternatively, an HTTP page set up as watering-hole to distribute malware could be opened by voice command. According to heise.de the security researchers used the Remote Desktop Protocol to send voice commands via network directly to other victims system without having to use the microphone of the target computer.

Furthermore heise.de describes a fourth attack method, which uses malicious Cortana skills, which the attackers added to the Cortana channel before. Then these Cortana skills could be activated by voice command (including the release of the installation of an untrustworthy plug-in).

To make matters worse, exploiting the vulnerability does not involve external code or questionable system calls, so code focused defenses such as antivirus, anti-malware and IPS are usually blind to attack.

An interview with CNBC is available here. As mentioned above, the CVE-2018-8140 vulnerability has been closed since June 2018 patchday. The question remains how many other undetected security holes are still dormant. According to Professor Amichai Shulman, his students have discovered further security holes in Cortana. Since these are unfixed, details were not revealed. But even if they are fixed at some point, the attack vector won’t get smaller due to the inflation of Windows 10 features propagated by Microsoft’s developers. Or how do you see it?


Advertising


This entry was posted in Security, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *