One of the most basic steps a computer user can take to secure their system against someone with physical access to it is to configure it to password-lock after an interval of inactivity. This prevents nosy office colleagues and Starbucks patrons from peering at your screen when you step away, and also helps protect against most "evil maid" attacks—where a malicious hotel worker, airport security agent, or someone else with brief access to your machine plugs a malicious USB stick into it to implant spyware.

But two independent Israeli researchers found a way for an attacker to bypass the lock protection on Windows machines and install malware by using voice commands directed at Cortana, the multi-language, voice-commanded virtual assistant that comes embedded in Windows 10 desktop and mobile operating systems.

Tal Be'ery and Amichai Shulman found that the always-listening Cortana agent responds to some voice commands even when computers are asleep and locked, allowing someone with physical access to plug a USB with a network adapter into the computer, then verbally instruct Cortana to launch the computer's browser and go to a web address that does not use https—that is, a web address that does not encrypt traffic between a user's machine and the website. The attacker's malicious network adapter then intercepts the web session to send the computer to a malicious site instead, where malware downloads to the machine, all while the computer owner believes his or her machine is protected.

"We still have this bad habit of introducing new interfaces into machines without fully analyzing the security implications of it."

"We start with proximity because it gives us the initial foothold in [a] network," Shulman told me in a call. "We can attach the computer to a network we control, and we use voice to force the locked machine into interacting in an insecure manner with our network."

The attacker can also connect the targeted computer to a Wi-Fi network the attacker controls. An attacker can do this by simply clicking on the chosen network with the mouse, even when the computer is locked.

"One of the things we saw was that even when a machine is locked, you can choose the network to which that machine is attached," he notes. The researchers plan to present their findings this Friday at the Kaspersky Analyst Security Summit in Cancun.

Voice-command systems like Cortana and Siri have made computer tasks simple and quick, without the annoying need to type every command into a keyboard or maneuver and click a mouse. But with ease of use comes new ways for hackers to seize control of computers and smartphones.

In Windows 10, the default setting tells Cortana to respond to any voice calling "Hey Cortana," even when the computer is locked. An alternate setting tries to limit this to just the computer owner by telling Cortana to "try to respond only to me." With this setting, the user provides voice-command samples to help the virtual assistant fingerprint and recognize it.

The attack Be'ery and Shulman designed works because Cortana allowed direct browsing to web sites, even when a machine was locked—or at least it did until Microsoft fixed the problem after the researchers disclosed it to the company.

Although anyone in the vicinity of a voice attack might hear someone issuing verbal commands to Cortana, this wouldn't be the case if the attacker employed a technique developed by Chinese researchers last year called the DolphinAttack. This technique uses silent, covert ultrasound commands sent to a computer in frequencies that a computer microphone can detect but not the human ear. They successfully tested the technique on all of the top voice-command systems, including Siri, Google Now, Cortana, and Alexa.

Once an attacker compromises a Cortana machine, per Be'ery and Shulman's technique, and has this initial foothold, he or she can use the same concept to amplify the attack and move laterally to infect other computers in a room where that computer resides or on a local network.

"It's interesting if it's to abuse a locked computer, but if it requires physical proximity or physical access, it's less interesting, of course," says Shulman. "It's more interesting if it can be done remotely."

They would do this by downloading malware to the initial machine that allows them to do ARP poisoning—a method that tricks other machines on a local network into sending traffic through a machine the attacker controls. Be'ery and Shulman created a proof-of-concept tool they call Newspeak or "Fake News" Cortana that monitors all Cortana requests and responses on every machine on a network. If a user tells Cortana to go to CNN.com, the attacker's malicious proxy intercepts this and directs them to a malicious page instead, where they get infected.

"[It] very much could be like a Hollywood movie where everyone is asleep and no one is in the office and the computers come to life and are shouting at each other."

An attacker could also force a Cortana session on other machines by playing a sound file over the infected computer's speakers that tells the Cortana agent on those machines to launch their browsers and visit a web site—a session that then gets intercepted and redirected by the Newspeak tool.

"So this attack is not only limited to the physical access scenario but also can be used by attackers to expand their access and jump from one computer to another," Be'ery says. "[It] very much could be like a Hollywood movie where everyone is asleep and no one is in the office and the computers come to life and are shouting at each other."

Microsoft fixed the issue Be’ery and Shulman found by forcing all browsing done through Cortana and a locked machine to go to its Bing search engine instead of directly to a web page. But the researchers say Cortana still responds to other commands when locked, and they're currently researching what else they might get Cortana to do in a locked state.

The researchers say the Cortana flaw highlights an ongoing problem with new interfaces software makers introduce without understanding the security issues they can create. They say it's only a matter of time before new command interfaces that use things like hand gestures, instead of voice commands, become available that could open systems to the same kinds of attacks.