Students Expose Security Breach in Microsoft’s Cortana

Technion Computer Science Students Discover Security Breach in Cortana – Microsoft’s Voice-Activated Virtual Assistant

The students, Yuval Ron and Ron Marcovich, supervised by Technion alumnus Amichai Shulman, found a way to access Cortana-locked computers. They immediately reported the vulnerability to Microsoft, which corrected it and are rewarding the students for their goodwill

L-R: Ron Marcovich and Yuval Ron

Yuval Ron and Ron Marcovich, two third-year students in the Computer Science Faculty at Technion – Israel Institute of Technology, recently discovered a severe vulnerability in the security of Cortana, Microsoft’s virtual assistant, and promptly reported it to Microsoft’s Bounty Program. The two discovered the problem with Cortana as part of the undergraduate course Information Security Project, taught by Amichai Shulman, Tal Be’ery and Prof. Eli Biham, head of the Technion’s Hiroshi Fujiwara cyber security research center.

Cortana is a virtual assistant that allows users to operate their computer, smartphone or smartwatch using voice commands. Microsoft’s Israel-based R&D center was involved in the program’s original development before it was unveiled at Microsoft’s global developers’ conference in 2014.

In recent semesters, a number of student teams in the Technion Computer Science Faculty have worked on projects involving the security of virtual assistants. This past April, students Marcovich and Ron succeeded in breaching Cortana. They were able to take control of a locked computer and download an external file, enabling them to control all of the computer’s operations. They reported their findings to Microsoft, who were very grateful and immediately started working with them on a patch to protect against this form of attack. As of yesterday, the vulnerability has been repaired and it is no longer possible to access locked computers using Cortana in this way. Ron and Marcovich will receive a reward from Microsoft’s Bounty Program, and this August they will travel to the cyber security conference ‘Black Hat USA 2018’ in Las Vegas, where they will present the Cortana vulnerability.

The students’ discovery was groundbreaking since it was the first time that voice interface was used to bypass security features in such a dangerous manner, enabling people who are not technologically savvy to breach computer security and obtain complete access to a locked computer. According to Shulman, this is the second time a security vulnerability of this sort has been discovered but this one is the most dramatic.
The same vulnerability was reported independently to Microsoft by  Cedric Cochin from McAfee