Researchers at McAfee recently discovered code execution vulnerabilities in the default settings of the Cortana voice-activated digital assistant in Windows 10 systems.
Steve Povolny is head of advanced threat research at McAfee and he shares their findings.
The research can be found here.
Dave Bittner: [0:00:03] Hello, everyone, and welcome to The CyberWire's "Research Saturday," presented by the Hewlett Foundation's Cyber Initiative. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Dave Bittner: [0:00:26] And now a moment to tell you about our sponsor, the Hewlett Foundation's Cyber Initiative. While government and industry focus on the latest cyberthreats, we still need more institutions and individuals who take a longer view. They're the people who are helping to create the norms and policies that will keep us all safe in cyberspace. The Cyber Initiative supports a cyber policy field that offers thoughtful solutions to complex challenges for the benefit of societies around the world. Learn more at hewlett.org/cyber.
Dave Bittner: [0:01:02] And thanks also to our sponsor Enveil, whose revolutionary ZeroReveal Solution closes the last gap in data security, protecting data in use. It's the industry's first and only scalable commercial solution, enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search and perform calculations on sensitive data all without ever decrypting anything, all without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at enveil.com.
Steve Povolny: [0:01:42] So Cortana is a - what we call a digital assistant or a voice-based assistant similar to Alexa, Google and a number of offerings that have come onto the market in the last few years.
Dave Bittner: [0:01:53] That's Steve Povolny. He's head of advanced threat research at McAfee. The research we're discussing today is titled "Want to Break Into a Locked Windows 10 Device? Ask Cortana."
Steve Povolny: [0:02:04] Essentially, she - I think we can say she - is a digital assistant for Windows devices default loaded onto Windows 10 devices and allows you to interact with the operating system to do a number of tasks from as simple as search and retrieve functionality to executing applications to just checking the weather or seeing what the scores are with your favorite sports team. And she's also used nowadays to connect to a number of different devices as well. And that's an interesting piece of research as well.
Steve Povolny: [0:02:36] Kind of why we started looking at digital assistants is the number of devices that they start to manage and control. And Cortana is a little bit more specific in that it's tied pretty exclusively to Windows at this time. But the enormous amount of functionality - and really, Windows let her off the leash a little bit in terms of what her capabilities were. And that's why we started looking into research on this platform.
Dave Bittner: [0:02:57] So with a standard Windows 10 install, what sort of things can Cortana do for you without unlocking the system?
Steve Povolny: [0:03:05] Well, when Windows 10 was first released, the security industry had a heyday because there was a number of default options that were less than satisfactory to your average security researcher. And these included openly sharing private information with public networks, networks keys and exchanging those and a number of default settings that really just didn't fly. This is a default setting, Cortana being enabled, of course, which is really something that most people wouldn't balk at. But it goes a little bit further in that Microsoft made the decision to enable Cortana from the lock screen itself. And of course, as I said the word Cortana, my computer started to respond because I've been doing so much testing on it. So it's very accurate at listening.
Steve Povolny: [0:03:48] But essentially, having Cortana enabled from the lock screen is probably a choice that should be opt-in for most users. And based on that, we wanted to understand whether there were any flaws or weaknesses or bypasses. And a set of Israeli researchers did some really interesting research called BadUSB, which led us down this path and allowed us to discover some options within Cortana at the lock screen that probably shouldn't have been presented. And that's exactly what Microsoft has addressed here.
Dave Bittner: [0:04:15] So it all begins with Windows indexing. Describe to us what's going on here. And how does that start the story?
Steve Povolny: [0:04:23] The indexing feature in Windows really just lets us understand a little bit more about what's going on behind the scenes. It's not directly related to the vulnerability itself, but indexing is what allows us to see within the search results for Cortana what we might have access to. And indexing can be as simple as the file name or properties and can be as deep as the contents of the file. And the reason that's interesting is we can actually predict or preview ahead of time from Windows indexing processes which documents we might be able to view contents of which could contain confidential or sensitive information, even from the lock screen.
Steve Povolny: [0:05:03] And if you have read the article, of course, you can see that from an unlocked screen, you have the same functionality within the search as you do from the lock screen using this bypass. One such functionality includes being able to type in the context menu or in the contextual search menu and actually retrieve contents based on your search from those indexed files. Now, that is actually a decision that Microsoft has made from the unlock screen. And you can imagine why it makes sense to be able to effectively search through the contents of your documents - but probably something that shouldn't be done when a user is locked out of the computer.
Dave Bittner: [0:05:41] So let's be explicit here. So you've got a locked machine. You gave a command to this digital assistant. What specifically do you say? And what information could be revealed?
Steve Povolny: [0:05:54] We went through a number of iterations and testing here. And the discovery credit actually goes to Cedric Cochin who is a researcher here at McAfee and was just playing around with the functionality of Cortana when he discovered that she will actually, while listening to a query from the lock screen, allow for keyboard input. And while Cortana is waiting to retrieve results or as you start to speak your query or type your query, you can actually bring up that contextual menu. And we went through a number of different iterations in that testing where, you know, we had thought it was a specific key sequence that brought up the context or search menu from the lock screen but ultimately discovered that pretty much just typing in the keyboard while you're querying - and we used the space character - allows you to bring up this search menu and kills off the voice-based search.
Steve Povolny: [0:06:41] Now, it'll be a little bit flaky in that sometimes Cortana audio will take back over and will kill off your search menu. But in that case, you can literally just hit the escape key and hit spacebar again, and you'll get that search window. It also is a little bit restrictive in that you can only tie it forwards, meaning you can't delete or backspace. So we use it as a typing trainer for our interns as well in that you have to repeat your commands, sometimes complicated PowerShell commands, without mistake in your spelling or making an error there. And if you do, you just hit escape and start over.
Steve Povolny: [0:07:13] But ultimately, what this allows you to do is achieve exactly the same functionality as you would using search commands or executing commands from within the unlocked computer. And some of the concerns that that brings up are highlighted in the blog, and that's exactly what we explored.
Dave Bittner: [0:07:32] Yeah, you've got some examples here of being able to pull up the contents of files that have names like passwords.txt. And so the actual passwords themselves could be revealed from the lock screen.
Steve Povolny: [0:07:44] Yeah. And typically, this would be - I would say that this is a flavor of the attack that is really interesting from an information leak perspective. And we actually expected that this would be possible as soon as we found this contextual, or search, menu. But what this allows you to do is read the plaintext of any file that has had its contents indexed, going back to our discussion earlier. And the demonstration that we used in there was just a Notepad file where we - you know, many people are in the habit of copying down, for example, their tax password or their login password of their bank. And a lot of folks will store that in plaintext in a document or just on the desktop, anywhere on the indexed drive.
Steve Povolny: [0:08:26] And we can use that knowledge to predict the types of search strings or search queries that will return those contents. Now, password is an obvious and easy kind of guess. But really, anything that we type here, where the content is indexed in the file, should return a result from that search menu in a lock screen. And password is just a great example because it makes sense to everyone. But it's certainly not limited to that scope. It's really anything that you can think of that might be sensitive and is indexed.
Dave Bittner: [0:08:53] So that's horrifying enough, but it gets worse (laughter).
Steve Povolny: [0:08:58] (Laughter) Yes, it does.
Dave Bittner: [0:08:59] You eventually come up with some ways to execute code. Walk us through this.
Steve Povolny: [0:09:05] So we looked at two different ways to execute code. And really, we didn't think that this was going to be possible. As Cedric was analyzing the information leak, the ability to pull sensitive information, what he started to find was, within that search menu, that contextual menu, the way that files and folders and content were returned to him were different based on how recently the document had been accessed, what the file extension was. And this led to a really unique discovery, which is Windows is predicting what kind of search query you're entering, what type of file you're trying to retrieve. And it's also looking at what the file extension or file type is. And it's going to present some options to you based off of that. It also will bring up recent documents such that, if you have opened it in the recent history - and we show an example of this - those results will be displayed in the actual search menu itself.
Steve Povolny: [0:10:04] Now, this allowed us to get creative in that we could force certain files and content to come up under the recent menu, which actually has different options than the rest of the files presented in that search menu. And one of those options allows you to run it as a PowerShell, as a script. Really, what this means for the average person is that instead of just opening an executable type of script in Notepad, which is pretty benign and won't actually run the script, we can actually run code or execute code from the application it was designed in.
Steve Povolny: [0:10:42] And this was an intentional decision that Microsoft had made, which was to open script code in something like Notepad so it didn't actually execute. And you can test this on any computer today to make sure it works. But with this bypass, we were able to achieve running a PowerShell script from PowerShell itself based on that confusion in the search menu - or the context menu from the lock screen. And so what this represented was a really powerful and accurate way to run code. It wasn't quite arbitrary because we had to do a lot of work to get there. And if you weren't an administrative user, it still required the user to interact with the device, the authenticated user. But it did give us a way to start accessing code and led us to the final phase of the research, which was true arbitrary code execution.
Dave Bittner: [0:11:27] Yeah. So let's move on to that. Again, it gets even more interesting.
Steve Povolny: [0:11:32] Yeah, this is an escalating attack, and that's typically how research goes. You find something interesting, and you peel back layers of the onion. And in this case, instead of getting more complex, the attack got even simpler. What the final discovery was - and probably the most powerful and simplistic piece of this entire attack - is that we can actually directly type PowerShell commands. And as soon as Windows recognizes that it is a PowerShell command, it will go in the command window. And you can see in the blog an example of that, where the researcher just typed PowerShell, gives it a console-base command to beep a couple of times. And as soon as Windows recognizes that PowerShell command, it is loaded in the command window and can be executed directly.
Steve Povolny: [0:12:16] So this is really powerful of course because, while that's just a proof of concept, we took that one step further and put a USB device, which had a custom PowerShell script to reset the user password on the machine. Now, of course, this is something that you shouldn't be able to access and run directly from the lock screen ever, and that's where the vulnerability is. But by using the search menu, we can actually browse to the directory where the USB is. We can run the command in PowerShell and reset the password and log in.
Steve Povolny: [0:12:45] So to bring it full circle, the researcher essentially puts a USB in the locked computer, brings up the Cortana search menu with a vocal or keyboard-based search, bypasses it by typing space on the keyboard and bringing up the context or search menu and then runs the PowerShell script directly from the USB device, where he unlocks the computer by logging in with the new password that we created. So what this was, essentially, was a login bypass for every Windows 10 computer in its default configuration, fully patched at the time it was submitted. And this represented, you know, one of the most powerful local attack vectors that we've come across in a very long time.
Dave Bittner: [0:13:25] Now, it does require that you have physical access to the machine, correct?
Steve Povolny: [0:13:31] In most cases, yes. We have certainly got examples where we could consider a remote attack vector. And while we think that's unlikely that we'll see the remote attack vector exploited publicly, it's certainly possible. And there's a couple of ways with this. One is you can use the Cortana functionality remotely by doing a phone call or playing a YouTube clip or something like that to bring up the vocal assistant. Now, that's not going to let you load a USB key and run arbitrary commands, but it certainly could allow you to achieve some of the info leak parts of the bug and retrieve other interesting information using that voice-based assistant remotely.
Steve Povolny: [0:14:08] The other - and maybe more relevant - attack vector from a remote perspective would be something like a remote desktop connection where you're on the same network as someone or they've given you access to access the computer remotely over something like RDP, and you come to the lock screen. This is very typical, especially within an enterprise where computers are connected over RDP. And a user could then - instead of using vocal commands, they could actually use the click and say or Tap and Say button, which is the equivalent of issuing vocal commands to Cortana but allows you to just use the mouse and keyboard or virtual mouse and keyboard to interact. And again, despite not having physical access to the computer, we've shown you can execute arbitrary PowerShell scripts even without needing to have that USB key there. So perhaps limited functionality in what you can achieve versus local but certainly really interesting in being able to have some kind of a network aspect to this vulnerability.
Dave Bittner: [0:15:09] Now, has Microsoft patched this?
Steve Povolny: [0:15:12] Microsoft has issued a statement saying that they have mitigated the issue. One of the statements from Microsoft was for users to disable Cortana from the lock screen, which I think is something that, you know, we made clear in the blog post as well. For those who explicitly want to opt in to this service at the lock screen, they can do that. And we'd like to see Microsoft make the default option having it disabled, but Microsoft has issued a patch for this vulnerability.
Dave Bittner: [0:15:41] Now, does Cortana allow you to voice print to a specific person? In other words, if I want to have this functionality, if it's something that's useful, can I have it so where it will only recognize my voice?
Steve Povolny: [0:15:53] Yes. There is an option within Windows and the Cortana settings to be able to learn from the user's voice, the primary user's voice. And this is actually an interesting area for us that we're planning on doing some more research on. How effective is it? Are there false positives that could allow access? Is it an effective mitigation strategy?
Steve Povolny: [0:16:11] We're actually starting to look into that right now. But for users who want to try to be more specific in the access factor from a vocal perspective - yes, this is an option. Again, with the tap-and-type functionality, though, the audio portion of this vulnerability is really kind of irrelevant. You don't actually need to issue audio commands to be able to do this bypass. And as such, the tying Cortana to the individual's voice who's legitimate or who is authorized on the computer is essentially irrelevant from a vulnerability perspective.
Dave Bittner: [0:16:43] Oh, that's a really great insight. So what are your recommendations for people to protect themselves against this?
Steve Povolny: [0:16:49] Well, first and foremost, this is maybe one of the easiest fixes of all times in that you can simply uncheck the box from Windows that says enable Cortana within the lock screen. So that's the ultimate fix. It turns it off. We're looking to Microsoft to be able to potentially provide an effective patch where we'll do some testing and make sure that the issue is actually mitigated from the elimination of that context menu or that search menu, potentially disabling the Cortana vocal assistant by default on the lock screen or something else, potentially, that we haven't suggested or worked with Microsoft on. So we'll stay tuned on that, and we'll keep you posted on any updates from a mitigation perspective. But it is - luckily, it is an easy fix for those who are paying attention.
Dave Bittner: [0:17:31] Yeah. Bear with me while I try to express the nuance of this question. Do you suppose that this is the result of something functioning the way it was designed in an unexpected way, or was this a functionality that was included in error?
Steve Povolny: [0:17:49] I think it's definitely the latter, a functionality that was unanticipated or unexpected to be included. And with new technology - and really, you know, digital assistants are a relatively new technology - you don't have the benefit of years of security research and disclosures such as we're starting to see now. And it's actually why we took interest in digital assistants as they began to saturate the market. They're starting to control all sorts of IoT devices and essentially act as a digital gateway into, you know, home and business networks full of IoT devices.
Steve Povolny: [0:18:21] So they become a very interesting access point into a larger attack surface. And as such, I just don't think that the vendor probably noticed that this was possible from the lock screen. And this was definitely an error in being able to access it. We'll be continuing to research both digital assistants in general as well as the concept of IoT gateways, whether physical or digital assistants. We are continuing our research on Cortana and want to give a shout-out to the Israeli researchers who found the original BadUSB bug and also who submitted this bug, actually, at the same time that we did. So great to see the industry as a whole kind of coming together and looking for these issues.
Steve Povolny: [0:19:03] We'll be releasing some future information on Cortana as well, and stay tuned for updates there. But really, I think what we wanted to highlight here is, don't take for granted that everything is configured in a secure way. A lot of times, the default options actually leave you more vulnerable or increase the attack surface. And what we want to highlight is some of the easy tweaks and trivial changes that end users can make to make their operating environment more secure.
Dave Bittner: [0:19:33] Yeah. I have to say I have a soft spot for Cortana going all the way back to playing Bungie games on the Mac, playing a game called "Marathon," which sort of led to the game "Halo," where Cortana became known. But way back in the "Marathon" days, Bungie did a great job of teasing those of us who were "Marathon" fans by having cryptic emails come to the forums from Cortana, leaving us all wondering - what was this new thing? And what was - you know, there were rumors of this new game coming that would eventually turn out to be "Halo." But...
Steve Povolny: [0:20:07] That's quite a throwback reference. I love it. Now you're speaking my language.
Dave Bittner: [0:20:10] Yeah, it's funny. Before we spoke today, I actually went and looked it up because the details were fuzzy. And it goes back to the late '90s, you know, playing "Marathon" on our 25 megahertz Quadra 700s (laughter).
Steve Povolny: [0:20:22] You know, it's funny. I never made the connection, but it makes a lot of sense now. I never went and looked at where the Cortana name came from besides - obviously, I know the "Halo" reference. But you learn something new every day.
Dave Bittner: [0:20:36] Our thanks to Steve Povolny from McAfee for joining us. The research is titled "Want to Break Into a Locked Windows 10 Device? Ask Cortana."
Dave Bittner: [0:20:45] Thanks to the Hewlett Foundation's Cyber Initiative for sponsoring our show. You can learn more about them at hewlett.org/cyber. And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at enveil.com
Dave Bittner: [0:21:01] The CyberWire "Research Saturday" is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben. Editor is John Petrik. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.
Bob: [0:21:28] See you starside.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
The Hewlett Foundation makes grants to proactively define, research and manage the burgeoning intersections between people and digital technologies. The Cyber Initiative seeks to cultivate a field that develops thoughtful, multidisciplinary solutions to complex cyber challenges and catalyzes better policy outcomes for the benefit of society. Learn more at hewlett.org/cyber.
Enveil is revolutionizing data security by addressing a Data in Use vulnerability that people have been chasing for more than 20 years. Founded by U.S. Intelligence Community alumni, Enveil’s ZeroReveal™ solutions ensure data remains encrypted throughout the processing lifecycle. Learn more at www.enveil.com.