Many new devices are trying to fit into our life seamlessly. As a result, there’s a quest for a “universal access methods” for all devices. Voice activation seems to be a natural candidate for the task and many implementations for it surfaced in recent years. A few notable examples are Amazon’s Alexa, Google’s Assistant and Microsoft’s Cortana.
The problem starts when these “Universal” access methods, aimed for maximal comfort, meet the very “specific” use-case of the enterprise environment which requires comfort to be balanced with other aspects, such as security. Microsoft Cortana is used on Mobile and IoT devices, but also in the enterprise computers as it comes enabled by default with Windows10 and always ready to respond to users’ commands even when the machine is locked.
Allowing interaction with a locked machine is a dangerous architectural decision, and earlier this year, we exposed the Voice of Esau (VoE) exploit for a Cortana vulnerability. The VoE exploit allowed attackers to take over a locked Windows10 machine by combining voice commands and network fiddling to deliver a malicious payload to the victim machine.
In this presentation, we will reveal the “Open Sesame” vulnerability, a much more powerful vulnerability in Cortana that allows attackers to take over a locked Windows machine and execute arbitrary code. Exploiting the “Open Sesame” vulnerability attackers can view the contents of sensitive files (text and media), browse arbitrary web sites, download and execute arbitrary executables from the Internet, and under some circumstances gain elevated privileges. To make matters even worse, exploiting the vulnerability does not involve ANY external code, nor shady system calls, hence making code focused defenses such as Antivirus, Anti-malware and IPS blind to the attack.
We would conclude by suggesting some defense mechanisms and compensating controls to detect and defend against such attacks.
Amichai Shulman is a cyber security researcher, entrepreneur and investor. Amichai carries 25 years of cyber security experience in military, government and commercial environments. He co founded Imperva in 2002 and served as CTO for the company over 15 years, driving innovation and thought leadership. Amichai presented in many conferences over the years including RSAC, Infosec and BlackHat. Amichai Shulman is currently an adviser and board member for a number of cyber security startup companies as well as teaching cyber security for under graduate college students and conducting independent research. Amichai holds B.Sc and M.Sc in Comptuer Science.
Ron Marcovich, 21, is a B.Sc. Software Engineering student at the Technion, Israel Institute of Technology. He will start his studies for M.Sc. in Computer Science next year. Ron is interested in the following fields: Information security, Internet Networks, Android Development, Operating Systems and Computers Architecture. His hobbies are aviation, science and technology.
Tal Be'ery is a Co-Founder of KZen Networks, securing crypto assets. Tal is a cyber-security researcher, returning speaker in the industry's most prestigious events, including Black Hat and RSA Conference, member of the Facebook's exclusive WhiteHat list. One of his most known works was the TIME attack against the HTTPS/SSL protocol. For the last 15 years, Tal had built and lead a few Cyber-Security R&D teams, mostly in the field of network monitoring for various security problems and protocols. Previously, Tal has led research for Aorato (acquired by Microsoft) as VP for Research. Tal holds M.Sc. and B.Sc degrees in CS/EE from Tel-Aviv University and a CISSP certification.
Yuval Ron is a B.Sc. student at the Technion, Israel Institute of Technology, and about to start his M.Sc. in Computer Science next year. He is an active member of the "Psagot" excellence program. Yuval's interests are cyber-security, computer networks, IoT and Android app development. Yuval is 21 years old, has a black belt in karate and is a great sports fan.