Black Hat 2018: Cortana Flaw Allowed Takeover of Locked Windows 10 Device

A flaw in Cortana allowed researchers to take over a locked Windows machine and execute arbitrary code.

LAS VEGAS – Researchers sounded the security alarm here at Black Hat over issues tied to voice control – specifically with the Windows Cortana service.

On Wednesday they outlined a flaw (patched in June by Microsoft) dubbed “Open Sesame” that allowed an adversary to bypass a Windows 10 lock screen using the voice assistant Cortana and unleash a number of “dangerous” functions.

“Adding functionality on a locked screen is a slippery slope… We didn’t think someone looked at the entire system and asked the question, can my computer be hacked by voice?” security researcher Amichai Shulman said. Shulman discovered and broke down “Open Sesame” and other vulnerabilities, along with Tal Be’ery, of Kzen Networks, and Ron Marcovich and Yuval Ron of the Israel Institute of Technology.

Thanks to Cortana’s “universal access methods” – specifically Microsoft Windows 10’s default support for the voice assistant – researchers were able to launch local commands through a locked Windows 10 screen and perform additional risky commands.

The root cause behind “Open Sesame” (CVE-2018-8140) is the fact that the lock screen on Windows 10 devices restricts the keyboard –  but allows Cortana invocation through the voice. So once Cortana is invoked, the lock screen no longer restricts it.

Once they exploited the flaw, attackers can view the contents of sensitive files (text and media), browse arbitrary web sites, download and execute arbitrary executables from the Internet, and under some circumstances gain elevated privileges, researchers said.

Alarmingly, exploitation of this flaw did not involve any external code – making code focused defenses such as Antivirus, Anti-malware and IPS blind to the attack, they said.

Part of the issue behind the attack is because the UI on the locked Windows 10 screen now has app functionality even before unlocking – while before that did not exist – the responsibility in securing the system has shifted to developers, researchers said.

“In the past, the OS made sure the UI is not accessible when the computer is locked, and therefore developers did not need to think about it. Now it’s the developers’ responsibility,” said Be’ery.

The researchers reported the vulnerability to Microsoft April 18 (days later McAfee researchers also reported the same bug) and Microsoft issued a patch on June 18.

Going forward, researchers suggested that for the time being users can disable Cortana voice in corporate environments or at least on their locked screens.

“When introducing innovative concepts into existing environments, secure coding is not enough – we need secure system engineering,” said Be’ery.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.