A pair of independent researchers yesterday uncovered a particularly worrisome security vulnerability in Microsoft’s Windows 10. If your PC’s OS was installed with default settings this could affect you.
The simple “hack” involves activating Cortana via voice command to open websites on a PC that’s been locked.
In the above video, you’ll notice the researcher issues the voice command and then unlocks the PC with their password. The vulnerability doesn’t allow a bad actor to unlock your computer, but with physical access to your system they could direct it to just about any website they wanted.
With access to your PC, specifically just your computer’s microphone, these “hackers” could cause it to visit malicious websites. They could even, potentially, hijack your processor for cryptocurrency mining or install malware.
And, as we’ve reported before, you can fool a voice assistant with noise that humans can’t hear. This kind of attack could, conceivably, happen in a crowded office full of people. The hacker would simply play an audio file from their phone – perhaps pretending to take a call or watch a video – and a nearby system could pick up the hidden message.
The scenario becomes even more concerning if the attacker has enough access/time to plug a USB drive/stick into the target PC. This combination of vulnerabilities could potentially allow a hacker to proliferate an attack against any computers connected to the same network. Yikes!
By default, your system probably has “use Cortana even when my device is locked” enabled. We highly suggest fixing this problem by taking the following steps:
If you’ve got the Cortana search bar on your task bar click it and then click the settings icon. (If you’ve removed the search bar just click the Windows start button and select “Cortana” from the menu, then choose the settings icon).
Next, scroll down to the “Lock Screen” section and turn off “use Cortana even when my device is locked.”
For added security you can disable “Let Cortana respond to “Hey Cortana,” which will require you to click on the microphone icon anytime you wish to use voice control.
We’ve reached out to Microsoft for comment and will update this story as necessary.