The ubiquity of voice-controlled smart assistants like Amazon Alexa, Google Assistant, Apple Siri, and even Microsoft Cortana should probably motivate an audit of our platforms’ security features. Because more often than not, the almost overarching powers given to these virtual assistants come at the price of, well, giving them too much power. Cortana may not be the most famous one of the bunch but, considering it’s pre-installed on every Windows 10 PC, especially laptops and tablets, then it has even more potential to do harm, as this McAfee report proves.
If you ask Cortana nicely, “she” will let you access locked PCs, execute potentially malicious programs, and even change the user’s password. This isn’t actually the first time this kind of vulnerability has been reported but this time it’s a tad easier because you don’t need a working Internet connection for the exploit to be triggered. All the hacker needs is physical access to the Windows 10 device.
The vulnerability all boils down to two Windows 10 features. One is based on how much Windows indexes files, even their contents. The other is the inconsistent and insecure way Cortana can present search results and actions related to those results even on a lock screen. In a nutshell, Cortana can be told to execute a malicious script on a USB drive that will change the user’s password and let someone else log into the account.
Fortunately, it’s a rather convoluted process that requires physical access to the machine, not to mention time. Not a problem if you always have your computer with you. But if you’re stepping away from your computer in a public place or even in the office, then you could be asking for trouble. Then again, if someone else already has physical access to your computer, then there can be other ways to get to important data.
Microsoft has already patched the vulnerability in the latest update released on 12th June. Good thing it no longer waits for weeks or months before rolling out fixes. Given this is already the second publicized vulnerability involving Cortana, however, perhaps Microsoft should double-check the entire stack and perhaps disable Cortana by default on the lock screen. In any case, the latter is probably advisable even if Microsoft doesn’t do it itself.