CyberWire Daily - Cortana voice assistant lets you in. [Research Saturday]
Episode Date: August 4, 2018Researchers at McAfee recently discovered code execution vulnerabilities in the default settings of the Cortana voice-activated digital assistant in Windows 10 systems. Steve Povolny is head of adva...nced threat research at McAfee and he shares their findings. The research can be found here: https://securingtomorrow.mcafee.com/mcafee-labs/want-to-break-into-a-locked-windows-10-device-ask-cortana-cve-2018-8140 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and
analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific apps,
not the entire network,
continuously verifying every request
based on identity and context,
simplifying security management
with AI-powered automation,
and detecting threats using AI
to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
So Cortana is a, what we call a digital assistant or a voice-based assistant,
similar to Alexa, Google, and a number of offerings that have come onto the market
in the last few years.
That's Steve Pavolni. He's head of advanced threat research at McAfee.
The research we're discussing today is titled,
Want to break into a locked Windows 10 Device? Ask Cortana.
Essentially, SHE, I think we can say SHE, is a digital assistant for Windows devices, default loaded onto Windows 10 devices,
and allows you to interact with the operating system to do a number of tasks,
from as simple as search and retrieve functionality to executing applications
to just checking the weather or seeing what the scores are with your favorite sports team.
And she's also used nowadays to connect to a number of different devices as well.
And that's an interesting piece of research as well. Kind of why we started looking at
digital assistants is the number of devices that they start to manage and control. And Cortana
is a little bit more specific in that it's tied pretty exclusively to Windows at this time, but
enormous amount of functionality and really Windows let her off the leash a little bit in
terms of what her capabilities were. And that's why we started looking into research on this platform.
So with a standard Windows 10 install, what sort of things can Cortana do for you without unlocking the system?
Well, when Windows 10 was first released, the security industry had a heyday because there was a number of default options that were less than satisfactory to your average security researcher.
And these included openly sharing private information with public networks, network keys and exchanging those and a number of default settings that really just didn't fly.
This is a default setting, Cortana being enabled, of course, which is really something that most people wouldn't balk at.
But it goes a little bit further in that Microsoft made the decision to enable Cortana from the lock screen itself.
And of course, as I said, the word Cortana,
my computer started to respond because I've been doing so much testing on it.
So it's very accurate at listening. But essentially, having Cortana enabled from
the lock screen is probably a choice that should be opt-in for most users. And based on that,
we wanted to understand whether there were any flaws or weaknesses or bypasses.
And a set of Israeli researchers did some really interesting research called Bad USB,
which led us down this path and allowed us to discover some options within Cortana at the lock screen
that probably shouldn't have been presented.
And that's exactly what Microsoft has addressed here.
So it all begins with Windows indexing.
Describe to us what's going on here and how does that start the story?
The indexing feature in Windows really just lets us understand a little bit more about what's going
on behind the scenes. It's not directly related to the vulnerability itself, but indexing is what
allows us to see within the search results for Cortana what we might have access to. And indexing can be as simple as the file name
or properties and can be as deep as the contents of the file. And the reason that's interesting
is we can actually predict or preview ahead of time from Windows indexing processes which
documents we might be able to view contents of, which could contain confidential or sensitive
information, even from the lock
screen.
And if you have read the article, of course, you can see that from an unlocked screen,
you have the same functionality within search as you do from the lock screen using this
bypass.
One such functionality includes being able to type in the context menu or in the contextual search menu and actually retrieve contents based on your search from those indexed files.
Now, that is actually a decision that Microsoft has made from the unlock screen,
and you can imagine why it makes sense to be able to effectively search through the contents of your documents,
but probably something that shouldn't be done when a user is locked out of the computer.
So let's be explicit here. So you've got a locked machine, you give a command to this digital
assistant. What specifically do you say and what information could be revealed?
We went through a number of iterations and testing here. And the discovery credit actually
goes to Cedric Cachan, who is a researcher here at McAfee and was just playing around with the functionality of Cortana when he discovered that she will actually, while listening to a query from the lock screen, allow for keyboard input.
And while Cortana is waiting to retrieve results or as you start to speak your query or type your query, you can actually bring up that contextual menu.
And we went through a number of different iterations in that testing where we had thought
it was a specific key sequence that brought up the context or search menu from the lock screen,
but ultimately discovered that pretty much just typing in the keyboard while you're querying,
and we use the space character, allows you to bring up this search menu and kills off the
voice-based search. Now, it'll be a little bit flaky in that sometimes Cortana audio will take back over
and will kill off your search menu.
But in that case, you can literally just hit the escape key and hit spacebar again,
and you'll get that search window.
It also is a little bit restrictive in that you can only type forwards,
meaning you can't delete or backspace.
So we use it as a typing trainer for our interns as well, in that you have to repeat your commands, sometimes complicated
PowerShell commands, without mistaking your spelling or making an error there. And if you do,
you just hit escape and start over. But ultimately, what this allows you to do is achieve exactly the
same functionality as you would using search commands or executing commands
from within the unlocked computer. And some of the concerns that that brings up are highlighted
in the blog. And that's exactly what we explored. Yeah, you've got some examples here of being able
to pull up the contents of files that have names like passwords.txt. And so the actual passwords themselves
could be revealed from the lock screen.
Yeah, and typically this would be,
I would say that this is a flavor of the attack
that is really interesting
from an information leak perspective.
And we actually expected that this would be possible
as soon as we found this contextual or search menu.
But what this allows you to do
is read the plain text of any
file that has had its contents indexed, going back to our discussion earlier. And the demonstration
that we used in there was just a notepad file where many people are in the habit of copying
down, for example, their tax password or their login password to their bank. And a lot of folks
will store that in plain text in a
document or just on the desktop, anywhere on the index drive. And we can use that knowledge to
predict the types of search strings or search queries that will return those contents. Now,
password is an obvious and easy kind of guess, but really anything that we type here or where
the content is indexed in the file should return a result from that search menu in a lock screen.
And password is just a great example because it makes sense to everyone, but it's certainly not limited to that scope.
It's really anything that you can think of that might be sensitive and is indexed.
So that's horrifying enough, but it gets worse.
You've actually come up with some ways to execute code. Walk us through this.
So we looked at two different ways to execute code. And really, we didn't think that this was going to be possible. As Cedric was analyzing the information leak, the ability to pull sensitive information, what he started to find was within that search menu that contextual menu the way that files and
folders and content were returned to him were different based on how recently the document
had been accessed what the file extension was and this led to a really unique discovery which is
windows is predicting what kind of search query you're entering, what type of file you're trying to retrieve, and it's also looking at what the file extension or file type is, and it's going to present some options to you based off of that.
It also will bring up recent documents such that if you have opened it in the recent history, and we show an example of this, those results will be displayed in the
actual search menu itself. Now this allowed us to get creative in that we could force certain files
and content to come up under the recent menu, which actually has different options than the
rest of the files presented in that search menu. And one of those options allows you to run it as PowerShell or as a script.
Really what this means for the average person is that instead of just opening an executable type of script in Notepad,
which is pretty benign and won't actually run the script,
we can actually run code or execute code from the application it was designed in.
And this was an intentional decision that Microsoft had made, which was to open script code in something like
Notepad, so it didn't actually execute. And you can test this on any computer today to make sure
it works. But with this bypass, we were able to achieve running a PowerShell script from PowerShell
itself, based on that confusion in the search
menu or the context menu from the lock screen. And so what this represented was a really powerful
and accurate way to run code. It wasn't quite arbitrary because we had to do a lot of work to
get there. And if you weren't an administrative user, it still required the user to interact with
the device, the authenticated user. But it did give us a way to start accessing
code and led us to the final phase of the research, which was true arbitrary code execution.
Yeah, so let's move on to that. Again, it gets even more interesting.
Yeah, this is an escalating attack, and that's typically how research goes. You find something
interesting and you peel back layers of the onion. And in this case, instead of getting more complex, the attack got even
simpler. What the final discovery was, and probably the most powerful and simplistic piece of this
entire attack, is that we can actually directly type PowerShell commands. And as soon as Windows
recognizes that it is a PowerShell command, it will go in the command window. And you can see in the blog an example of that where the researcher just types PowerShell,
gives it a console-based command to beep a couple of times.
And as soon as Windows recognizes that PowerShell command,
it is loaded in the command window and can be executed directly.
So this is really powerful, of course, because while that's just a proof of concept,
we took that one step further and put in a USB device, which had a custom PowerShell script to reset the user password on the machine.
Now, of course, this is something that you shouldn't be able to access and run directly from the lock screen ever, and that's where the vulnerability is.
But by using the search menu, we can actually browse to the directory where the USB is.
We can run the command in PowerShell and reset the keyboard and bringing up the context or search menu, and then runs the
PowerShell script directly from the USB device, where he unlocks the computer by logging in with
the new password that we created. So what this was essentially was a login bypass for every Windows
10 computer in its default configuration, fully patched at the time it was submitted. And this
represented one of the most powerful local attack vectors
that we've come across in a very long time.
Now, it does require that you have physical access to the machine, correct?
In most cases, yes.
We've certainly got examples where we could consider a remote attack vector.
And while we think that's unlikely that we'll see the remote attack vector exploited
publicly it's certainly possible and there's a couple of ways with this one is you can use the
cortana functionality remotely by doing a phone call or playing a youtube clip or something like
that to bring up the vocal assistant now that's not going to let you load a usb key and and run
arbitrary commands but it certainly could allow you to achieve some of the
info leak parts of the bug and retrieve other interesting information using that voice-based
assistant remotely. The other and maybe more relevant attack vector from a remote perspective
would be something like a remote desktop connection where you're on the same network as someone or
they've given you access to access the computer remotely
over something like RDP and you come to the lock screen. This is very typical within,
especially within an enterprise where computers are connected over RDP and a user could then,
instead of using vocal commands, they could actually use the click and say or tap and say
button, which is the equivalent of issuing vocal commands to
Cortana, but allows you to just use the mouse and keyboard or virtual mouse and keyboard to interact.
And again, despite not having physical access to the computer, we've shown you can execute
arbitrary PowerShell scripts even without needing to have that USB key there. So perhaps limited
functionality in what you can achieve versus local. That's certainly really interesting in even without needing to have that USB key there. So perhaps limited functionality
in what you can achieve versus local.
That's certainly really interesting
in being able to have some kind of a network aspect
to this vulnerability.
Now, has Microsoft patched this?
Microsoft has issued a statement
saying that they have mitigated the issue.
One of the statements from Microsoft
was for users to disable Cortana from the lock
screen, which I think is something that we made clear in the blog post as well. For those who
explicitly want to opt in to the service at the lock screen, they can do that. And we'd like to
see Microsoft make the default option having it disabled. But Microsoft has issued a patch for this vulnerability. Now, does Cortana allow you to voice print to a specific person?
In other words, if I want to have this functionality, if it's something that's useful, can I have it so where it will only recognize my voice?
Yes, there is an option within Windows and the Cortana settings to be able to learn from the user's voice, the primary user's voice.
And this is actually an interesting area for us that we're planning on doing some more research on.
How effective is it? Are there false positives that could allow access?
Is it an effective mitigation strategy? We're actually starting to look into that right now.
But for users who want to try to be more specific in the access vector from a vocal perspective, yes, this is an option. Again,
with the tap and type functionality, though, the audio portion of this vulnerability is really kind
of irrelevant. You don't actually need to issue audio commands to be able to do this bypass.
And as such, the tying Cortana to the individual's voice who's legitimate or who's authorized on the
computer is essentially irrelevant from a
vulnerability perspective. That's a really great insight. So what are your recommendations for
people to protect themselves against this? Well, first and foremost, this is maybe one of the
easiest fixes of all times in that you can simply uncheck the box from Windows that says enable
Cortana within the lock screen. So that's the ultimate fix. It turns it off.
We're looking to Microsoft to be able to potentially provide an effective patch where we'll do some testing and make sure that the issue is actually mitigated from the elimination of that context menu or that search menu,
potentially disabling the Cortana vocal assistant by default on the lock screen or something else potentially that we haven't suggested or worked with Microsoft on. So we'll stay tuned on that and we'll keep you posted on any updates from
a mitigation perspective. But luckily it is an easy fix for those who are paying attention.
Yeah, bear with me while I try to express the nuance of this question. Do you suppose that
this is the result of something functioning the way it was designed in an unexpected way,
or was this a functionality that was included in error? I think it's definitely the latter,
a functionality that was unanticipated or unexpected to be included. And with new technology
and really, you know, digital assistants are a relatively new technology.
You don't have the benefit of years of security research and disclosures such as we're starting to see now. And it's actually why we took interest in digital assistants as they begin to saturate
the market. They're starting to control all sorts of IoT devices and essentially act as a digital
gateway into, you know, home and business networks full of IoT devices. So they become a very
interesting access point into a larger attack surface. And as such, I just don't think that
the vendor probably noticed that this was possible from the lock screen. And this was definitely an
error in being able to access it. We'll be continuing to research both digital assistants
in general, as well as the concept of IoT gateways,
whether physical or digital assistance. We are continuing our research on Cortana and want to
give a shout out to the Israeli researchers who found the original bad USB bug and also submitted
this bug actually at the same time that we did. So great to see the industry as a whole kind of
coming together and looking for these issues. We'll be releasing some future information on Cortana as well and
stay tuned for updates there. But really, I think what we wanted to highlight here is don't take for
granted that everything is configured in a secure way. A lot of times the default options actually leave you more vulnerable
or increase the attack surface. And what we want to highlight is some of the easy tweaks and trivial
changes that end users can make to make their operating environment more secure.
Yeah. I have to say, I have a soft spot for Cortana, going all the way back to playing
Bungie games on the Mac, playing a game called Marathon,
which sort of led to the game Halo, where Cortana became known. But way back in the Marathon days,
Bungie did a great job of teasing those of us who are Marathon fans by having cryptic emails come
to the forums from Cortana, leaving us all wondering, what was this new thing? And what was
it? You know, there were rumors of this new thing and what was it, you know,
there were rumors of this new game coming that would eventually turn out to be Halo.
That's quite a throwback reference. I love it. Now you're speaking my language.
Yeah, it's funny. Before we spoke today, I actually went and looked it up because the
details were fuzzy and it goes back to the late 90s, you know, playing Marathon on our
25 megahertz Quadra 700s.
You know, it's funny.
I never made the connection, but it makes a lot of sense now.
I never went and looked at where the Cortana name came from besides,
obviously, I know the Halo reference, but learn something new every day.
Our thanks to Steve Pavolni from McAfee for joining us.
The research is titled, Want to Break into a Locked Windows 10 Device?
Ask Cortana.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io. Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.
See you, Starside.