{"id":84353,"date":"2018-06-14T11:18:25","date_gmt":"2018-06-14T08:18:25","guid":{"rendered":"https:\/\/www.technion.ac.il\/blog\/students-expose-security-breach-in-microsofts-cortana\/"},"modified":"2018-06-14T11:18:25","modified_gmt":"2018-06-14T08:18:25","slug":"students-expose-security-breach-in-microsofts-cortana","status":"publish","type":"post","link":"https:\/\/www.technion.ac.il\/en\/blog\/students-expose-security-breach-in-microsofts-cortana\/","title":{"rendered":"Students Expose Security Breach in Microsoft’s Cortana"},"content":{"rendered":"

Technion Computer Science Students Discover Security Breach in Cortana \u2013 Microsoft\u2019s Voice-Activated Virtual Assistant<\/b><\/span><\/p>\n

The students, Yuval Ron and Ron Marcovich, supervised by Technion alumnus Amichai Shulman, found a way to access Cortana-locked computers. They immediately reported the vulnerability to Microsoft, which corrected it and are rewarding the students for their goodwill<\/b><\/span><\/p>\n

\"\"<\/a>
L-R: Ron Marcovich and Yuval Ron<\/figcaption><\/figure>\n

Yuval Ron and Ron Marcovich, two third-year students in the Computer Science Faculty at Technion – Israel Institute of Technology, recently discovered a severe vulnerability in the security of Cortana, Microsoft\u2019s virtual assistant, and promptly reported it to Microsoft\u2019s Bounty Program. The two discovered the problem with Cortana as part of the undergraduate course <\/span>Information Security Project<\/span><\/i>,<\/span> taught by Amichai Shulman, Tal Be’ery\u00a0<\/span>and Prof. Eli Biham, head of the Technion’s Hiroshi Fujiwara cyber security research center. <\/span><\/p>\n

Cortana is a virtual assistant that allows users to operate their computer, smartphone or smartwatch using voice commands. Microsoft\u2019s Israel-based R&D center was involved in the program\u2019s original development before it was unveiled at Microsoft\u2019s global developers\u2019 conference in 2014. <\/span><\/p>\n

In recent semesters, a number of student teams in the Technion Computer Science Faculty have worked on projects involving the security of virtual assistants. This past April, students Marcovich and Ron succeeded in breaching Cortana. They were able to take control of a locked computer and download an external file, enabling them to control all of the computer\u2019s operations. They reported their findings to Microsoft, who were very grateful and immediately started working with them on a patch to protect against this form of attack. As of yesterday, the vulnerability has been repaired and it is no longer possible to access locked computers using Cortana in this way. Ron and Marcovich will receive a reward from Microsoft\u2019s Bounty Program, and this August they will travel to the cyber security conference \u2018<\/span>Black Hat USA 2018\u2019<\/span><\/a> in Las Vegas, where they will present the Cortana vulnerability. <\/span><\/p>\n

The students\u2019 discovery was groundbreaking since it was the first time that voice interface was used to bypass security features in such a dangerous manner, enabling people who are not technologically savvy to breach computer security and obtain complete access to a locked computer. According to Shulman, this is the second time a security vulnerability of this sort has been discovered but this one is the most dramatic.
\n<\/span>The same vulnerability was reported independently to Microsoft by \u00a0Cedric Cochin from McAfee<\/p>\n


\n