Hacking Windows with Cortana is not so serious

Hacking Windows using voice Assistant for people that deal with security, is nothing new. The prospect of the use of Cortana to run malicious code, despite the lock screen strengthens in the belief that the built-in security system are sometimes inadequate. In addition, to carry out such an attack usually obtain physical access to the device, which is not so simple. In the below case, even if the user first experiences unprecedented attack vector, is already distributing malicious software is carried out in a predictable manner and by many systems examining network traffic for malicious activity, presented an attack will be detected without the slightest problem.

Hacking Windows voice command

Israeli researchers have discovered in Windows 10 the ability to bypass the built-in Security Windows using voice Assistant Cortana. In the attack presented the old as the world technique of ARP Poisoning, which allows you to send packages containing fake MAC addresses to other computers on the local network. Thanks to USB adapter, which was connected to a laptop with Windows 10 could intercept Internet traffic with Windows 10 and redirect called voice-Internet address from a domain " hxxt://cnn.com " on the page that contains the malicious software — and this was zahardkodowana in the adapter configuration (e.g., the Internet address " hxxp://fakemaliciouswebonline.com/hg8nyjiyk " it would be not to dictate voice Assistant). With the additional network adapter poisoning the ARP tables of all computers on the LAN does not limit the attacker to only one device. In the same way it is possible infection of a other devices on the same network, but on the condition that it will be on them installed Windows 10 Assistant Cortana.

In the attack also presented another malware distribution technique (drive-by download). Website of the infecting the system could contain a malicious payload that at the time on the computer of the victim by the vulnerability in the browser (in this context could be a browser or one of the installed extensions) is running to following install malware or win for the attacker remote access to the machine. The whole attack is difficult to carry out, but ...

ARP Poisoning attacks and drive-by download

It attacks quite well detected by the most reputable antivirus software. Presented by the researchers a way to fool the Security (if it was carried out to the end) had to be carried out in a controlled environment — probably with SmartScreen option turned off and with built-in Windows Defender software. Technical details, used tools, and Windows configuration 10 don't know (these will be presented tomorrow at a conference of Kaspersky Analyst Security Summit), so we base its analysis on the most likely the theory.

Hackowanie Windows

The attack is possible to perform, however, the attacker must at least get access to the device or within the range of the wireless network (because only then will be able to intercept and redirect Internet traffic) — and even then does not give him some success on installation of malicious software, if the terminal equipment will be properly protected.

Motion capture and management system to a malicious website in order to download malicious software can be abandoned by the built-in safeguard mechanisms, or by an external security product — necessarily with integrated firewall that can detect ARP Poisoning attacks. Even if Comodo products, ESET and Quich Heal, which we recently reviewed, could effectively block presented by researchers technology even before loading a malicious website.

Recently the security authorization Windows Hello have been overcome using a regular home color printer laser and photo low resolution 340x340 pixels, so the case of the use of Cortana and ARP Poisoning attacks to run the malicious code, it should not come as a surprise, and in fact confirmed in the belief that everyone and everything (sooner or later) hack, despite assurances by the manufacturer, who pointed out repeatedly that Windows 10 is more resistant to attacks than previous versions.



Add new comment

The content of this field is kept private and will not be shown publicly.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.