Security Vulnerability in the Cortana-Alexa Partnership Demonstrates Lock Screen Bypass
Student at the Computer Science Department of the Technion – Israel Institute of Technology has uncovered a significant cybersecurity risk at the interface between the voice-controlled digital assistants of Microsoft and Amazon
A previously unknown security vulnerability in the partnership between voice assistants of Microsoft and Amazon has been revealed by Technion graduate student Yuval Ron and his co-supervisor Amichai Shulman of the Faculty of Computer Science.
“The two companies have created an innovative integration between their voice assistants, which enables the launch of Amazon’s Alexa through Cortana on Windows 10 devices, even when they are in locked mode. For example, Cortana users can talk to Alexa and make online purchases through their Amazon account using voice commands,” says Shulman.
“However, we discovered that this interface also supports the capability of donating thousands of dollars to an arbitrary charity. The danger, of course, is that attackers with physical access to someone’s locked PC could ‘donate’ to themselves without the user’s knowledge.”
But that’s not the only security threat, says Yuval Ron, a graduate student supervised by Prof. Eli Biham head of the Hiroshi Fujiwara Cyber Security Research Center at the Technion and Amichai Shulman. “We encountered another problematic scenario during the sign-in stage,” he says. “When a Cortana user needs to sign into Alexa, the connection was implemented by opening a customized Internet Explorer browser over the locked screen. Such a sign-in mechanism allows attackers to easily manipulate the browser to navigate to malicious websites. If the browser stored cached credentials, the attackers can also hack into the user’s social accounts, like Facebook and Twitter.”
Ron and Shulman reported these security issues to Microsoft on September 1, 2018, and the company fixed it by a server update removing. They removed Alexa from the locked screen, on September 24, 2018.
However, the researchers continued to investigate Cortana and found additional vulnerabilities in its integrations with other platforms such as Spotify. “The connection between Cortana and other platforms expands the attack surface of the locked device, and as we have shown, this surface can be exploited,” says Shulman. As a response to these additional reports by the researchers,
Microsoft decided to disable almost all of Cortana’s skills over the locked screen. It has re-enabled only the skills that have been proven to be safe above the lock.
On June 24, 2019, Ron and Shulman presented their findings in a talk called “Alexa and Cortana in Windowsland”, at the BSidesTLV 2019 conference as part of the CyberWeek events at Tel-Aviv University.
This is not the first time that Technion researchers have raised concerns about security issues in voice assistants. In 2018, Technion students exposed a security vulnerability (CVE-2018-8140) in Cortana. The attack they demonstrated was unprecedented because the students used a voice interface to take over a locked machine. Microsoft fixed the vulnerability based on the information received from the Technion.
This attack on Cortana was created by Yuval Ron and Ron Marcovich, students at the Technion’s Computer Science Department, guided by Amichai Shulman and Prof. Eli Biham, head of the Hiroshi Fujiwara Cyber Security Research Center at the Technion, and with the assistance of security expert Tal Be’ery. The students were invited to present their discovery at Black Hat 2018 – one of the largest security conferences in the world.