Many new devices try to fit into our life seamlessly. There's a quest for a "universal access methods" for all devices. Voice activation seems to be a natural candidate and many implementations for it surfaced recently. A few notable examples are Amazon's Alexa, Google's Assistant and Microsoft's Cortana.
The problem starts when these "Universal" access methods, aimed for maximal comfort, meet the very "specific" use-case of the enterprise environment which requires comfort to be balanced with other aspects, such as security. Microsoft Cortana is used on Mobile and IoT devices, but also in the enterprise computers as it comes enabled by default with Windows 10 and ready to respond to users' commands even when the machine is locked.
Allowing interaction with a locked machine is a dangerous architectural decision, and earlier this year, we exposed the Voice of Esau exploit for a Cortana vulnerability. The VoE exploit allowed attackers to take over a locked Windows 10 machine by combining voice commands and network fiddling to deliver a malicious payload to the machine.
This presentation reveals the "Open Sesame" vulnerability, a more powerful vulnerability in Cortana that allows attackers to take over a locked Windows machine and execute arbitrary code. Exploiting the "Open Sesame" vulnerability attackers can view the contents of sensitive files, browse arbitrary web sites, download and execute arbitrary executables from the Internet.
We conclude by suggesting some defense mechanisms and compensating controls to detect and defend against such attacks.
Amichai Shulman is a cyber security researcher, entrepreneur and investor. Amichai carries 25 years of cyber security experience in military, government and commercial environments.
Deral Heiland is the IoT Research Lead at Rapid7. He has over 20 yrs experience in the IT field, and has held positions including: Senior Network Analyst, Database Manager, Financial Systems Mgr and Principal Security Consultant.