Cortana leaves Windows 10 vulnerable on locked devices
Wed 13 Jun 2018
Windows 10 users are at risk of their devices being accessed even when they’re locked thanks to a Cortana vulnerability.
Researchers at McAfee discovered that Windows 10 users who have not applied the most recent updates could be leaving their devices at risk.
By activating Cortana, the Windows personal digital assistant, either through a voice command or the ‘tap and say’ function, on a locked screen, hackers can access files and change passwords on the device.
This is possible because when, on a locked screen, a user brings up Cortana, they can also type in the search bar if timed correctly. Typing too soon after verbally activating Cortana will request a password and typing too long after will send the assistant back to sleep.
But, with the correct timing, typing alongside speaking to Cortana will bring up a contextual menu, which allows significant access to the locked device.
The results presented in this contextual menu are from indexed files and applications. In some instances, the content inside the file is also indexed, meaning just by hovering over it you can see its contents – for instance, passwords or sensitive information.
Hey Cortana, let me in
A demo from McAfee researcher Cedric Cochin demonstrated a password reset using this technique and a USB through which he executed a PS1 payload.
McAfee acknowledged that there can be some restrictions on accessing a locked device given that some file types are executable and others are not in the locked contextual menu.
Nonetheless, given the right circumstances, and following simple instructions using Cortana and typing some simple commands, the researchers note that: ‘We now have local code execution with the payload of our choosing, without any exploit, even if the device is encrypted, on an up-to-date locked Windows 10 device.’
Users who have updated with the most recent patch will be safe from this vulnerability. For those who haven’t, researchers recommend disabling Cortana on a locked screen.
It’s not a great day for people worried about cybersecurity, with Dixons Carphone admitting to the unauthorised access of 5.9 million card details on its system.