Two Israeli cyber-security experts have uncovered a serious Windows 10 security flaw, whereby the operating system’s voice assistant can be used to install malicious software.
Microsoft’s assistant Cortana can still be used while the PC is locked. The two found that by connecting a USB network adapter to the computer and engaging Cortana, they could direct the assistant to access unsafe web addresses and download malware to the device.
“We can attach the computer to a network we control, and we use voice to force the locked machine into interacting in an insecure manner with our network,” Amichai Shulman told the Vice Motherboard website.
The two Israelis also said one infected computer could then be used to infect many others, either over a network or through playing voice commands on its speakers to other nearby machines.
“So this attack is not only limited to the physical access scenario but also can be used by attackers to expand their access and jump from one computer to another,” Tal Be’ery said. It “very much could be like a Hollywood movie where everyone is asleep and no one is in the office and the computers come to life and are shouting at each other.”
Microsoft has said it has fixed the issue following the two Israelis’ discovery, by only allowing Cortana to browse through its Bing search engine while in lock screen, and preventing it from accessing non-secure websites.
But Be’ery and Shulman believe the voice assistant could still allow other security breaches, and are investigating the matter.