SlideShare a Scribd company logo

Open Sesame: Picking Locks with Cortana

Tal Be'ery
Tal Be'ery

Cortana has several components that could be exploited by attackers to compromise systems or retrieve sensitive information: 1. The Cortana agent on devices is powerful and can accept input even when screens are locked, allowing commands through the "Open Sesame" vulnerability. 2. Cortana's voice actions could be used to invoke unsafe browsing on locked screens through the "Voice of Esau" attack, potentially leading to remote code execution. 3. Third-party Cortana skills could be authorized on locked screens, allowing the invocation of skills with malicious payloads through the "Skill of Death" scenario. Proper design is needed to secure new interfaces like Cortana, as adding capabilities to locked screens

Software
1 of 57
Download to read offline
Open Sesame: Picking Locks with Cortana Ron Marcovich, Yuval Ron, Amichai Shulman, Tal Be'ery 1
Amichai Shulman • Independent Security Researcher • Advisor for multiple cyber security start up companies • Former CTO and Co-Founder of Imperva • Blackhat, RSA, Infosec speaker • @amichaishulman Tal Be’ery • Co-Founder @ Kzen Networks • Formerly VP Research @Aorato (Acquired by Microsoft), Imperva, Singtel Innov8 VC • Blackhat, RSA, SAS speaker • @talbeerysec 2 Who are we?
Also Featuring… Yuval Ron Twitter: @RonYuval LinkedIn: ronyuval Ron Marcovich Twitter: @RonMarcovich LinkedIn: ronmarcovich B.Sc. Software Engineering students at the Technion, Israel Institute of Technology. Both will start their M.Sc. In Computer Science this year. 3
Agenda • Understanding Cortana • What is it, how does it work and key elements • Attacking Cortana on all fronts • Cortana agent: Open Sesame (CVE-2018-8140) • Cortana actions: The voice of Esau • Cortana cloud: Malicious skills • Protecting against Cortana attacks • Voice Firewalls: NewSpeak • Summary and Conclusions 4
Understanding Cortana 5
What is Cortana? • "Your intelligent assistant across your life." • Translate human intent into computer actions • Retrieve data • Browse the web • Launch programs 6
What is Cortana? • Multi-platform: Mobile, PC, devices • Multi inputs (“intents”): keyboard, mouse, voice, touch, … 7
Cortana Architecture 8 Cortana Service Speech to Text Text to Intent (Action) Cortana Skill Internet 3rd party web service Cortana Client Speech Text Text Intent + p Intent + p Card data Speech Text Resolve! Card Action Provider (Azure Bot) Intent to Card (Azure Bot)
Cortana Architecture - Example 9 Cortana Service Speech to Text Text to Intent (Action) Action Provider (Azure Bot) Internet 3rd party web service Cortana Client Speech Who is George Washington Who is George Washington Search Query = “George Washington” Card data Speech Who is George Washington Resolve! Action Provider (Azure Bot) Intent to Card (Azure Bot) Search Query = “George Washington”
Cortana Agent • Very fat Client • Can do a lot of stuff! • Merely an execution engine • Exposes a powerful Javascript API • Works on a locked devices • By Default! • SpeechRuntime.exe listens for “Hey Cortana” • SearchUI.exe has the “Cortana Logic” 10
Cortana Cloud Service • Processing and decision making is done in the cloud • Two phases • Audio processing – Speech to Text • wss://websockets.platform.bing.com/ws/cu/v3 • Binary + JSON • Semantic processing – Text to Intent & Intent to Card • https://www.bing.com/speech_render - GET request, HTML response • https://www.bing.com/DialogPolicy - GET / POST request, Javascript response • Machine Learning • Improve speech recognition • Extend intent resolution capabilities 11
Audio Processing Phase Client Server Connection.context(JSON) Audio stream (BIN) IntermediateResult (XML) Audio stream (BIN) IntermediateResult (XML) Audio stream (BIN) Audio.stream.hypothesis PhraseResult (XML) 12
Semantic Processing Phase 13
Cortana Skills • Cortana can be extended with cloud based “skills” • A Skill is an Azure bot registered to the Cortana channel • Receive all user input after an invocation name • Interacts with the Cortana client using Cards that include voice, text and LIMITED COMMANDS 14
Cortana Skills 15
• Fat client executes on locked screen • Many possible actions • Action choice by cloud logic • Can be changed without any apparent sign on the device • Might depend on Machine Learning • Choice of action can be affected by unknown 3rd parties Summary 16
17
Putting Murphy to Work • Set up a research project with the Technion • Undergraduate students exploring different aspects of the system • Some avenues we explored • Local input to Cortana • Intents that invoke exploitable actions • Intents that retrieve malicious content • Capabilities of 3rd party Cortana skills 18
Attacking Cortana 19 Cortana Service Speech to Text Text to Intent (Action) Cortana Skill Internet 3rd party web service Cortana Client Speech Text Text Intent + p Intent + p Card data Speech Text Resolve! Card Action Provider (Azure Bot) Intent to Card (Azure Bot) Expressing bad intents Local commands through lock screen Malicious skills Bad content provider
Open Sesame 20
CVE-2018-8140 (Open Sesame) 21 Grabbing Information
CVE-2018-8140 (Open Sesame) 22 Taking over
Open Sesame: Attack Model • Impact: • by Abusing The “Open Sesame” vulnerability, “Evil Maid” attackers can gain full control over a locked machine • Evil Maid attack model: • Attackers have physical access for a limited time, but the Computer is locked • Why it’s called Evil Maid? • Think of the laptop you left in your room last night when you went out… • But also borders control, computers in the office during breaks and night, … • But isn’t that exactly what Locked Screen suppose to stop? 23
Lock Screen: You Had One Job • Lock Screen is not magic! • Lock Screen is merely another “Desktop” ( Winlogon desktop ) with very limited access • The security stems from the reduced attack surface • If Microsoft adds more apps on Lock Screen: The attack surface expands → security is reduced 24
Lock Screen Evolution : Then 25
Lock Screen Evolution: Now 26
“Open Sesame” Root Cause • Lock screen restricts keyboard, but allows Cortana invocation through voice • Once Cortana is invoked, the Lock Screen no longer restricts it • Cortana is free to accept input from the keyboard too • The fix: Make Cortana Search UI state aware. Different behavior when the UI is locked • Shift of responsibility: • In the past, the OS made sure the UI is not accessible when computer is locked, therefore developers do not need to think about it. • Now, it’s the developers’ responsibility 27
Disclosure Timeline 16 APR 18: We report CVE-2018- 8140 to MS 23 APR 18: McAfee reports CVE-2018- 8140 to MS 12 JUN 18: MS patch (Very quick + Bug Bounty!) 26 JUN 18: We report CVE-2018- 8369 to MS 28
“Open Sesame” Summary • Impact: Evil Maid Attackers can gain full control on a locked machine • The fix is • Tactical: making Cortana Search aware of UI state • Not Strategical: Cortana still gets keyboard input and launches processes from a locked screen in some other scenarios • There are more where it came from: CVE-2018-8369 • Design lessons: Adding more capabilities to Lock Screen is very tempting, but dangerous 29
Cruel Intentions: The Voice of Esau 30
Attacking Cortana: Cruel Intentions 31 Cortana Service Speech to Text Text to Intent (Action) Cortana Skill Internet 3rd party web service Cortana Client Speech Text Text Intent + p Intent + p Card data Speech Text Resolve! Card Action Provider (Azure Bot) Intent to Card (Azure Bot) Expressing bad intents Local commands through Lock Screen
Voice of Esau Attack • Evil Maid Attack (First presented in Kaspersky SAS 2018) • Attackers: 1. Achieve Man-in-the-Middle position: Plug into the network interface 2. Use Cortana on locked screen to invoke insecure (Non-HTTPS) browsing 3. Intercept request, respond with malicious payload • Exploit browser vulnerabilities • Capture domain credentials 32
The VOE Attack - Evil Maid (Local) I’m in! but the computer is locked! Hi Cortana! Go to bbc.com Browse http://www.bbc.com I’m BBC and here’s my malicious payload! http://www.bbc.com 33
The VOE Attack Demo 34
VOE Attack – Lateral movement • Use initial compromise to install agent on compromised machine • Achieve Man-in-the-Middle position • Some local routing attack: e.g. ARP spoofing • Invoke Cortana insecure browsing • Play sound file – “GOTO BBC DOT COM” • RDP (Remote Desktop Protocol) sound file to target • NLA must be disabled for it to work • Intercept traffic of targeted machines and compromise, as in before. 35
RDP: A Silent Killer 36
Cortana over RDP Demo 37
VOE Disclosure Timeline 16 JUN 17: We report VOE to MS 29 JUN 17: MS Cloud patch (no CVE) 8 MAR 18: Our talk @ Kaspersky SAS 25 JUN 18: We report CVE-2018- 8271 (and more) to MS 38
The Voice of Esau • Impact: Evil Maid or even remote attacker can invoke unsafe browsing on a locked machine. Using additional vulns attacker can gain full control • The fix is • Tactical: making Cortana cloud aware of UI state and safely Bing instead of direct browse in certain scenarios • Not Strategical: Cortana may still allow unsafe browsing in some other scenarios • There are more where it came from: CVE-2018-8271 (and more) • Design lessons: Adding more capabilities to Lock Screen is tempting but dangerous 39
Skill of Death 40
Skill of Death • VOE attack took advantage of existing intent resolution mechanisms • What about adding our own interpretation mechanism? • Skills interact with client through cards • Cards have “limited functionality” 41
Navigate to an attacker controlled server Open malicious MS Office document Skill of Death – Limited Functionality 42
Skill of Death 43
Skill of Death • How can attacker invoke a “malicious” skill? • Invoking a new skill on a machine requires user consent • Cortana Skill can be invoked and granted consent from locked screen! 44
Skill of Death 45
Skill of Death • Timeline • Authorization of skills in locked screen detected March 2018 • Guy Feferman and Afik Friedberg of The Technion, Israel • Takeover methods detected June 2018 • Natanela Brod and Matan Pugach of the Technion, Israel • Fixed on June 25th 2018 • Fixed in the cloud • No formal announcement of fix • Skills can no longer be INVOKED (authorized or not) from locked screen • Adding functionality on locked screen is a slippery slope • Soon you find yourself allowing NON Microsoft code to run over locked screen 46
Protection 47
Preventing Voice Attacks: Speaker Identification • Respond only to me • “try” doesn’t sound very reassuring • “Hey Cortana” can be easily recorded • Can be subverted, see other talk 48
Preventing Voice Attacks: Compensating Controls Take 1 • Take 1: Put a security Microphone on each room? • Disadvantages: • Privacy • Cost • Audio directionality • Audio semantics • Not all attacks are audible • Detection only 49
Preventing Voice Attacks: Compensating Controls Take 2 • NewSpeak: a Network-based Intercepting proxy • TLS/SSL certificate must be installed on monitored devices • In many organization already exists for web gateway monitoring, DLP • Can monitor all Cortana requests and responses • Origin details: IP, computer name, user, UI State, etc. • Request audio and Text to Speech results • Intents and Action cards • Can block or modify all Cortana requests and responses • Much better than previous suggestion: Centrally located, does not rely on audio analogic capture, can mitigate not just detect 50
Network monitoring with NewSpeak 51 I’m the NewSpeak Proxy Hi Cortana! Go to cnn.com Browse http://www.cnn.com Browse http://www.foxnews.com
NEWspeak: DEMO 52
Summing up 53
Summary: Attacking Cortana 54 Cortana Service Speech to Text Text to Intent (Action) Cortana Skill Internet 3rd party web service Cortana Client Speech Text Text Intent + p Intent + p Card data Speech Text Resolve! Card Action Provider (Azure Bot) Intent to Card (Azure Bot) Expressing bad intents Local commands through Lock Screen Malicious skills Bad content provider
Takeaways: Defenders • For the time being: • Disable Cortana voice in corporate environments • Or at least on locked screen • Reconsider when compensating controls are there • “voice firewall”: If voice becomes mainstream, considering specialized solutions is a must for corporate adoption 55 https://www.pcgamer.com/how-to-disable-cortana/
Takeaways: Builders & Breakers • New interfaces are much more than “just an interface” • When introducing innovative concept into existing environments • Secure Coding is not enough • We need Secure System Engineering • We found 3 different CVEs and numerous issues that enables attackers to bypass the lock screen 56
Questions? 57

Recommended

Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesTom Eston
 
CNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidCNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidSam Bowne
 
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Tom Eston
 
CNIT 128 5: Mobile malware
CNIT 128 5: Mobile malwareCNIT 128 5: Mobile malware
CNIT 128 5: Mobile malwareSam Bowne
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationTom Eston
 
CNIT 128 Ch 3: iOS
CNIT 128 Ch 3: iOSCNIT 128 Ch 3: iOS
CNIT 128 Ch 3: iOSSam Bowne
 
YOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS ApplicationsYOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS Applicationseightbit
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Subhransu Behera
 

Recommended

Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesTom Eston
 
CNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidCNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidSam Bowne
 
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Tom Eston
 
CNIT 128 5: Mobile malware
CNIT 128 5: Mobile malwareCNIT 128 5: Mobile malware
CNIT 128 5: Mobile malwareSam Bowne
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationTom Eston
 
CNIT 128 Ch 3: iOS
CNIT 128 Ch 3: iOSCNIT 128 Ch 3: iOS
CNIT 128 Ch 3: iOSSam Bowne
 
YOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS ApplicationsYOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS Applicationseightbit
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Subhransu Behera
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applicationsmgianarakis
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testingeightbit
 
Mobile Security Assessment: 101
Mobile Security Assessment: 101Mobile Security Assessment: 101
Mobile Security Assessment: 101wireharbor
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSecureState
 
Security Best Practices for Mobile Development @ Dreamforce 2013
Security Best Practices for Mobile Development @ Dreamforce 2013Security Best Practices for Mobile Development @ Dreamforce 2013
Security Best Practices for Mobile Development @ Dreamforce 2013Tom Gersic
 
​Understanding the Internet of Things
​Understanding the Internet of Things​Understanding the Internet of Things
​Understanding the Internet of ThingsDavid Strom
 
CNIT 128: Android Implementation Issues (Part 2)
CNIT 128: Android Implementation Issues (Part 2)CNIT 128: Android Implementation Issues (Part 2)
CNIT 128: Android Implementation Issues (Part 2)Sam Bowne
 
Hacking your Android (slides)
Hacking your Android (slides)Hacking your Android (slides)
Hacking your Android (slides)Justin Hoang
 
CNIT 128 9. Writing Secure Android Applications
CNIT 128 9. Writing Secure Android ApplicationsCNIT 128 9. Writing Secure Android Applications
CNIT 128 9. Writing Secure Android ApplicationsSam Bowne
 
Dark Side of iOS [SmartDevCon 2013]
Dark Side of iOS [SmartDevCon 2013]Dark Side of iOS [SmartDevCon 2013]
Dark Side of iOS [SmartDevCon 2013]Kuba Břečka
 
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...eightbit
 
THE VOICE OF ESAU: HACKING ENTERPRISES THROUGH VOICE INTERFACES
THE VOICE OF ESAU: HACKING ENTERPRISES THROUGH VOICE INTERFACES THE VOICE OF ESAU: HACKING ENTERPRISES THROUGH VOICE INTERFACES
THE VOICE OF ESAU: HACKING ENTERPRISES THROUGH VOICE INTERFACES Tal Be'ery
 
Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Priyanka Aash
 
BlueHat v17 || Disrupting the Mirai Botnet
BlueHat v17 || Disrupting the Mirai Botnet BlueHat v17 || Disrupting the Mirai Botnet
BlueHat v17 || Disrupting the Mirai Botnet BlueHat Security Conference
 
CS155 Computer Security at Stanford University
CS155 Computer Security at Stanford UniversityCS155 Computer Security at Stanford University
CS155 Computer Security at Stanford UniversityRick Patterson
 
The hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsThe hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsn|u - The Open Security Community
 
Internet security
Internet securityInternet security
Internet securityAntony Mathew
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCanSecWest
 
Avast @ Machine Learning
Avast @ Machine LearningAvast @ Machine Learning
Avast @ Machine LearningAvast
 
Luis Grangeia IBWAS
Luis Grangeia IBWASLuis Grangeia IBWAS
Luis Grangeia IBWASLuis Grangeia
 
IBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's StandpointIBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's StandpointLuis Grangeia
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon chinaPeter Hlavaty
 

More Related Content

What's hot

Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applicationsmgianarakis
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testingeightbit
 
Mobile Security Assessment: 101
Mobile Security Assessment: 101Mobile Security Assessment: 101
Mobile Security Assessment: 101wireharbor
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSecureState
 
Security Best Practices for Mobile Development @ Dreamforce 2013
Security Best Practices for Mobile Development @ Dreamforce 2013Security Best Practices for Mobile Development @ Dreamforce 2013
Security Best Practices for Mobile Development @ Dreamforce 2013Tom Gersic
 
​Understanding the Internet of Things
​Understanding the Internet of Things​Understanding the Internet of Things
​Understanding the Internet of ThingsDavid Strom
 
CNIT 128: Android Implementation Issues (Part 2)
CNIT 128: Android Implementation Issues (Part 2)CNIT 128: Android Implementation Issues (Part 2)
CNIT 128: Android Implementation Issues (Part 2)Sam Bowne
 
Hacking your Android (slides)
Hacking your Android (slides)Hacking your Android (slides)
Hacking your Android (slides)Justin Hoang
 
CNIT 128 9. Writing Secure Android Applications
CNIT 128 9. Writing Secure Android ApplicationsCNIT 128 9. Writing Secure Android Applications
CNIT 128 9. Writing Secure Android ApplicationsSam Bowne
 
Dark Side of iOS [SmartDevCon 2013]
Dark Side of iOS [SmartDevCon 2013]Dark Side of iOS [SmartDevCon 2013]
Dark Side of iOS [SmartDevCon 2013]Kuba Břečka
 
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...eightbit
 

What's hot (11)

Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applications
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testing
 
Mobile Security Assessment: 101
Mobile Security Assessment: 101Mobile Security Assessment: 101
Mobile Security Assessment: 101
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and Exploitation
 
Security Best Practices for Mobile Development @ Dreamforce 2013
Security Best Practices for Mobile Development @ Dreamforce 2013Security Best Practices for Mobile Development @ Dreamforce 2013
Security Best Practices for Mobile Development @ Dreamforce 2013
 
​Understanding the Internet of Things
​Understanding the Internet of Things​Understanding the Internet of Things
​Understanding the Internet of Things
 
CNIT 128: Android Implementation Issues (Part 2)
CNIT 128: Android Implementation Issues (Part 2)CNIT 128: Android Implementation Issues (Part 2)
CNIT 128: Android Implementation Issues (Part 2)
 
Hacking your Android (slides)
Hacking your Android (slides)Hacking your Android (slides)
Hacking your Android (slides)
 
CNIT 128 9. Writing Secure Android Applications
CNIT 128 9. Writing Secure Android ApplicationsCNIT 128 9. Writing Secure Android Applications
CNIT 128 9. Writing Secure Android Applications
 
Dark Side of iOS [SmartDevCon 2013]
Dark Side of iOS [SmartDevCon 2013]Dark Side of iOS [SmartDevCon 2013]
Dark Side of iOS [SmartDevCon 2013]
 
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
 

Similar to Open Sesame: Picking Locks with Cortana

THE VOICE OF ESAU: HACKING ENTERPRISES THROUGH VOICE INTERFACES
THE VOICE OF ESAU: HACKING ENTERPRISES THROUGH VOICE INTERFACES THE VOICE OF ESAU: HACKING ENTERPRISES THROUGH VOICE INTERFACES
THE VOICE OF ESAU: HACKING ENTERPRISES THROUGH VOICE INTERFACES Tal Be'ery
 
Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Priyanka Aash
 
CS155 Computer Security at Stanford University
CS155 Computer Security at Stanford UniversityCS155 Computer Security at Stanford University
CS155 Computer Security at Stanford UniversityRick Patterson
 
The hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsThe hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsn|u - The Open Security Community
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCanSecWest
 
Avast @ Machine Learning
Avast @ Machine LearningAvast @ Machine Learning
Avast @ Machine LearningAvast
 
IBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's StandpointIBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's StandpointLuis Grangeia
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon chinaPeter Hlavaty
 
Pichman privacy, the dark web, & hacker devices i school (1)
Pichman privacy, the dark web, & hacker devices i school (1)Pichman privacy, the dark web, & hacker devices i school (1)
Pichman privacy, the dark web, & hacker devices i school (1)Stephen Abram
 
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...Felipe Prado
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface DevicePositive Hack Days
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Zoltan Balazs
 
How to build corporate size fraud prevention
How to build corporate size fraud preventionHow to build corporate size fraud prevention
How to build corporate size fraud preventionYury Leonychev
 
Alexa and Cortana in Windowsland - OWASP Global AppSec Tel-Aviv, May 2019
Alexa and Cortana in Windowsland - OWASP Global AppSec Tel-Aviv, May 2019Alexa and Cortana in Windowsland - OWASP Global AppSec Tel-Aviv, May 2019
Alexa and Cortana in Windowsland - OWASP Global AppSec Tel-Aviv, May 2019Yuval Ron
 
Workshop on Network Security
Workshop on Network SecurityWorkshop on Network Security
Workshop on Network SecurityUC San Diego
 

Similar to Open Sesame: Picking Locks with Cortana (20)

THE VOICE OF ESAU: HACKING ENTERPRISES THROUGH VOICE INTERFACES
THE VOICE OF ESAU: HACKING ENTERPRISES THROUGH VOICE INTERFACES THE VOICE OF ESAU: HACKING ENTERPRISES THROUGH VOICE INTERFACES
THE VOICE OF ESAU: HACKING ENTERPRISES THROUGH VOICE INTERFACES
 
Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.
 
BlueHat v17 || Disrupting the Mirai Botnet
BlueHat v17 || Disrupting the Mirai Botnet BlueHat v17 || Disrupting the Mirai Botnet
BlueHat v17 || Disrupting the Mirai Botnet
 
CS155 Computer Security at Stanford University
CS155 Computer Security at Stanford UniversityCS155 Computer Security at Stanford University
CS155 Computer Security at Stanford University
 
The hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsThe hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignments
 
Internet security
Internet securityInternet security
Internet security
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
 
Avast @ Machine Learning
Avast @ Machine LearningAvast @ Machine Learning
Avast @ Machine Learning
 
Luis Grangeia IBWAS
Luis Grangeia IBWASLuis Grangeia IBWAS
Luis Grangeia IBWAS
 
IBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's StandpointIBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's Standpoint
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
 
Pichman privacy, the dark web, & hacker devices i school (1)
Pichman privacy, the dark web, & hacker devices i school (1)Pichman privacy, the dark web, & hacker devices i school (1)
Pichman privacy, the dark web, & hacker devices i school (1)
 
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015
 
How to build corporate size fraud prevention
How to build corporate size fraud preventionHow to build corporate size fraud prevention
How to build corporate size fraud prevention
 
Alexa and Cortana in Windowsland - OWASP Global AppSec Tel-Aviv, May 2019
Alexa and Cortana in Windowsland - OWASP Global AppSec Tel-Aviv, May 2019Alexa and Cortana in Windowsland - OWASP Global AppSec Tel-Aviv, May 2019
Alexa and Cortana in Windowsland - OWASP Global AppSec Tel-Aviv, May 2019
 
Path of Cyber Security
Path of Cyber SecurityPath of Cyber Security
Path of Cyber Security
 
Path of Cyber Security
Path of Cyber SecurityPath of Cyber Security
Path of Cyber Security
 
Workshop on Network Security
Workshop on Network SecurityWorkshop on Network Security
Workshop on Network Security
 

More from Tal Be'ery

Give me some (key) space!
Give me some (key) space!Give me some (key) space!
Give me some (key) space!Tal Be'ery
 
Web3’s red pill: Smashing Web3 transaction simulations for fun and profit
Web3’s red pill: Smashing Web3 transaction simulations for fun and profitWeb3’s red pill: Smashing Web3 transaction simulations for fun and profit
Web3’s red pill: Smashing Web3 transaction simulations for fun and profitTal Be'ery
 
Understanding Compound‘s Liquidation
Understanding Compound‘s LiquidationUnderstanding Compound‘s Liquidation
Understanding Compound‘s LiquidationTal Be'ery
 
Web3 Security: The Blockchain is Your SIEM
Web3 Security: The Blockchain is Your SIEMWeb3 Security: The Blockchain is Your SIEM
Web3 Security: The Blockchain is Your SIEMTal Be'ery
 
The Color of Money
The Color of MoneyThe Color of Money
The Color of MoneyTal Be'ery
 
Automate or Die: How Automation Reshapes Cybersecurity
Automate or Die: How Automation Reshapes CybersecurityAutomate or Die: How Automation Reshapes Cybersecurity
Automate or Die: How Automation Reshapes CybersecurityTal Be'ery
 
The Industrial Revolution of Lateral Movement
The Industrial Revolution of Lateral MovementThe Industrial Revolution of Lateral Movement
The Industrial Revolution of Lateral MovementTal Be'ery
 
The Enemy Within: Stopping Advanced Attacks Against Local Users
The Enemy Within: Stopping Advanced Attacks Against Local UsersThe Enemy Within: Stopping Advanced Attacks Against Local Users
The Enemy Within: Stopping Advanced Attacks Against Local UsersTal Be'ery
 
Target Breach Analysis
Target Breach AnalysisTarget Breach Analysis
Target Breach AnalysisTal Be'ery
 
Battlefield network
Battlefield networkBattlefield network
Battlefield networkTal Be'ery
 
Client sidesec 2013-intro
Client sidesec 2013-introClient sidesec 2013-intro
Client sidesec 2013-introTal Be'ery
 
Client sidesec 2013 - non js
Client sidesec 2013 - non jsClient sidesec 2013 - non js
Client sidesec 2013 - non jsTal Be'ery
 
Client sidesec 2013 - script injection
Client sidesec 2013 - script injectionClient sidesec 2013 - script injection
Client sidesec 2013 - script injectionTal Be'ery
 
One Key to Rule Them All: Detecting the Skeleton Key Malware
One Key to Rule Them All: Detecting the Skeleton Key MalwareOne Key to Rule Them All: Detecting the Skeleton Key Malware
One Key to Rule Them All: Detecting the Skeleton Key MalwareTal Be'ery
 
Skeleton key malware detection owasp
Skeleton key malware detection owaspSkeleton key malware detection owasp
Skeleton key malware detection owaspTal Be'ery
 

More from Tal Be'ery (15)

Give me some (key) space!
Give me some (key) space!Give me some (key) space!
Give me some (key) space!
 
Web3’s red pill: Smashing Web3 transaction simulations for fun and profit
Web3’s red pill: Smashing Web3 transaction simulations for fun and profitWeb3’s red pill: Smashing Web3 transaction simulations for fun and profit
Web3’s red pill: Smashing Web3 transaction simulations for fun and profit
 
Understanding Compound‘s Liquidation
Understanding Compound‘s LiquidationUnderstanding Compound‘s Liquidation
Understanding Compound‘s Liquidation
 
Web3 Security: The Blockchain is Your SIEM
Web3 Security: The Blockchain is Your SIEMWeb3 Security: The Blockchain is Your SIEM
Web3 Security: The Blockchain is Your SIEM
 
The Color of Money
The Color of MoneyThe Color of Money
The Color of Money
 
Automate or Die: How Automation Reshapes Cybersecurity
Automate or Die: How Automation Reshapes CybersecurityAutomate or Die: How Automation Reshapes Cybersecurity
Automate or Die: How Automation Reshapes Cybersecurity
 
The Industrial Revolution of Lateral Movement
The Industrial Revolution of Lateral MovementThe Industrial Revolution of Lateral Movement
The Industrial Revolution of Lateral Movement
 
The Enemy Within: Stopping Advanced Attacks Against Local Users
The Enemy Within: Stopping Advanced Attacks Against Local UsersThe Enemy Within: Stopping Advanced Attacks Against Local Users
The Enemy Within: Stopping Advanced Attacks Against Local Users
 
Target Breach Analysis
Target Breach AnalysisTarget Breach Analysis
Target Breach Analysis
 
Battlefield network
Battlefield networkBattlefield network
Battlefield network
 
Client sidesec 2013-intro
Client sidesec 2013-introClient sidesec 2013-intro
Client sidesec 2013-intro
 
Client sidesec 2013 - non js
Client sidesec 2013 - non jsClient sidesec 2013 - non js
Client sidesec 2013 - non js
 
Client sidesec 2013 - script injection
Client sidesec 2013 - script injectionClient sidesec 2013 - script injection
Client sidesec 2013 - script injection
 
One Key to Rule Them All: Detecting the Skeleton Key Malware
One Key to Rule Them All: Detecting the Skeleton Key MalwareOne Key to Rule Them All: Detecting the Skeleton Key Malware
One Key to Rule Them All: Detecting the Skeleton Key Malware
 
Skeleton key malware detection owasp
Skeleton key malware detection owaspSkeleton key malware detection owasp
Skeleton key malware detection owasp
 

Recently uploaded

The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceanilsa9823
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 

Recently uploaded (20)

The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 

Open Sesame: Picking Locks with Cortana

  • 1. Open Sesame: Picking Locks with Cortana Ron Marcovich, Yuval Ron, Amichai Shulman, Tal Be'ery 1
  • 2. Amichai Shulman • Independent Security Researcher • Advisor for multiple cyber security start up companies • Former CTO and Co-Founder of Imperva • Blackhat, RSA, Infosec speaker • @amichaishulman Tal Be’ery • Co-Founder @ Kzen Networks • Formerly VP Research @Aorato (Acquired by Microsoft), Imperva, Singtel Innov8 VC • Blackhat, RSA, SAS speaker • @talbeerysec 2 Who are we?
  • 3. Also Featuring… Yuval Ron Twitter: @RonYuval LinkedIn: ronyuval Ron Marcovich Twitter: @RonMarcovich LinkedIn: ronmarcovich B.Sc. Software Engineering students at the Technion, Israel Institute of Technology. Both will start their M.Sc. In Computer Science this year. 3
  • 4. Agenda • Understanding Cortana • What is it, how does it work and key elements • Attacking Cortana on all fronts • Cortana agent: Open Sesame (CVE-2018-8140) • Cortana actions: The voice of Esau • Cortana cloud: Malicious skills • Protecting against Cortana attacks • Voice Firewalls: NewSpeak • Summary and Conclusions 4
  • 6. What is Cortana? • "Your intelligent assistant across your life." • Translate human intent into computer actions • Retrieve data • Browse the web • Launch programs 6
  • 7. What is Cortana? • Multi-platform: Mobile, PC, devices • Multi inputs (“intents”): keyboard, mouse, voice, touch, … 7
  • 8. Cortana Architecture 8 Cortana Service Speech to Text Text to Intent (Action) Cortana Skill Internet 3rd party web service Cortana Client Speech Text Text Intent + p Intent + p Card data Speech Text Resolve! Card Action Provider (Azure Bot) Intent to Card (Azure Bot)
  • 9. Cortana Architecture - Example 9 Cortana Service Speech to Text Text to Intent (Action) Action Provider (Azure Bot) Internet 3rd party web service Cortana Client Speech Who is George Washington Who is George Washington Search Query = “George Washington” Card data Speech Who is George Washington Resolve! Action Provider (Azure Bot) Intent to Card (Azure Bot) Search Query = “George Washington”
  • 10. Cortana Agent • Very fat Client • Can do a lot of stuff! • Merely an execution engine • Exposes a powerful Javascript API • Works on a locked devices • By Default! • SpeechRuntime.exe listens for “Hey Cortana” • SearchUI.exe has the “Cortana Logic” 10
  • 11. Cortana Cloud Service • Processing and decision making is done in the cloud • Two phases • Audio processing – Speech to Text • wss://websockets.platform.bing.com/ws/cu/v3 • Binary + JSON • Semantic processing – Text to Intent & Intent to Card • https://www.bing.com/speech_render - GET request, HTML response • https://www.bing.com/DialogPolicy - GET / POST request, Javascript response • Machine Learning • Improve speech recognition • Extend intent resolution capabilities 11
  • 12. Audio Processing Phase Client Server Connection.context(JSON) Audio stream (BIN) IntermediateResult (XML) Audio stream (BIN) IntermediateResult (XML) Audio stream (BIN) Audio.stream.hypothesis PhraseResult (XML) 12
  • 14. Cortana Skills • Cortana can be extended with cloud based “skills” • A Skill is an Azure bot registered to the Cortana channel • Receive all user input after an invocation name • Interacts with the Cortana client using Cards that include voice, text and LIMITED COMMANDS 14
  • 16. • Fat client executes on locked screen • Many possible actions • Action choice by cloud logic • Can be changed without any apparent sign on the device • Might depend on Machine Learning • Choice of action can be affected by unknown 3rd parties Summary 16
  • 17. 17
  • 18. Putting Murphy to Work • Set up a research project with the Technion • Undergraduate students exploring different aspects of the system • Some avenues we explored • Local input to Cortana • Intents that invoke exploitable actions • Intents that retrieve malicious content • Capabilities of 3rd party Cortana skills 18
  • 19. Attacking Cortana 19 Cortana Service Speech to Text Text to Intent (Action) Cortana Skill Internet 3rd party web service Cortana Client Speech Text Text Intent + p Intent + p Card data Speech Text Resolve! Card Action Provider (Azure Bot) Intent to Card (Azure Bot) Expressing bad intents Local commands through lock screen Malicious skills Bad content provider
  • 23. Open Sesame: Attack Model • Impact: • by Abusing The “Open Sesame” vulnerability, “Evil Maid” attackers can gain full control over a locked machine • Evil Maid attack model: • Attackers have physical access for a limited time, but the Computer is locked • Why it’s called Evil Maid? • Think of the laptop you left in your room last night when you went out… • But also borders control, computers in the office during breaks and night, … • But isn’t that exactly what Locked Screen suppose to stop? 23
  • 24. Lock Screen: You Had One Job • Lock Screen is not magic! • Lock Screen is merely another “Desktop” ( Winlogon desktop ) with very limited access • The security stems from the reduced attack surface • If Microsoft adds more apps on Lock Screen: The attack surface expands → security is reduced 24
  • 27. “Open Sesame” Root Cause • Lock screen restricts keyboard, but allows Cortana invocation through voice • Once Cortana is invoked, the Lock Screen no longer restricts it • Cortana is free to accept input from the keyboard too • The fix: Make Cortana Search UI state aware. Different behavior when the UI is locked • Shift of responsibility: • In the past, the OS made sure the UI is not accessible when computer is locked, therefore developers do not need to think about it. • Now, it’s the developers’ responsibility 27
  • 28. Disclosure Timeline 16 APR 18: We report CVE-2018- 8140 to MS 23 APR 18: McAfee reports CVE-2018- 8140 to MS 12 JUN 18: MS patch (Very quick + Bug Bounty!) 26 JUN 18: We report CVE-2018- 8369 to MS 28
  • 29. “Open Sesame” Summary • Impact: Evil Maid Attackers can gain full control on a locked machine • The fix is • Tactical: making Cortana Search aware of UI state • Not Strategical: Cortana still gets keyboard input and launches processes from a locked screen in some other scenarios • There are more where it came from: CVE-2018-8369 • Design lessons: Adding more capabilities to Lock Screen is very tempting, but dangerous 29
  • 31. Attacking Cortana: Cruel Intentions 31 Cortana Service Speech to Text Text to Intent (Action) Cortana Skill Internet 3rd party web service Cortana Client Speech Text Text Intent + p Intent + p Card data Speech Text Resolve! Card Action Provider (Azure Bot) Intent to Card (Azure Bot) Expressing bad intents Local commands through Lock Screen
  • 32. Voice of Esau Attack • Evil Maid Attack (First presented in Kaspersky SAS 2018) • Attackers: 1. Achieve Man-in-the-Middle position: Plug into the network interface 2. Use Cortana on locked screen to invoke insecure (Non-HTTPS) browsing 3. Intercept request, respond with malicious payload • Exploit browser vulnerabilities • Capture domain credentials 32
  • 33. The VOE Attack - Evil Maid (Local) I’m in! but the computer is locked! Hi Cortana! Go to bbc.com Browse http://www.bbc.com I’m BBC and here’s my malicious payload! http://www.bbc.com 33
  • 34. The VOE Attack Demo 34
  • 35. VOE Attack – Lateral movement • Use initial compromise to install agent on compromised machine • Achieve Man-in-the-Middle position • Some local routing attack: e.g. ARP spoofing • Invoke Cortana insecure browsing • Play sound file – “GOTO BBC DOT COM” • RDP (Remote Desktop Protocol) sound file to target • NLA must be disabled for it to work • Intercept traffic of targeted machines and compromise, as in before. 35
  • 36. RDP: A Silent Killer 36
  • 37. Cortana over RDP Demo 37
  • 38. VOE Disclosure Timeline 16 JUN 17: We report VOE to MS 29 JUN 17: MS Cloud patch (no CVE) 8 MAR 18: Our talk @ Kaspersky SAS 25 JUN 18: We report CVE-2018- 8271 (and more) to MS 38
  • 39. The Voice of Esau • Impact: Evil Maid or even remote attacker can invoke unsafe browsing on a locked machine. Using additional vulns attacker can gain full control • The fix is • Tactical: making Cortana cloud aware of UI state and safely Bing instead of direct browse in certain scenarios • Not Strategical: Cortana may still allow unsafe browsing in some other scenarios • There are more where it came from: CVE-2018-8271 (and more) • Design lessons: Adding more capabilities to Lock Screen is tempting but dangerous 39
  • 41. Skill of Death • VOE attack took advantage of existing intent resolution mechanisms • What about adding our own interpretation mechanism? • Skills interact with client through cards • Cards have “limited functionality” 41
  • 42. Navigate to an attacker controlled server Open malicious MS Office document Skill of Death – Limited Functionality 42
  • 44. Skill of Death • How can attacker invoke a “malicious” skill? • Invoking a new skill on a machine requires user consent • Cortana Skill can be invoked and granted consent from locked screen! 44
  • 46. Skill of Death • Timeline • Authorization of skills in locked screen detected March 2018 • Guy Feferman and Afik Friedberg of The Technion, Israel • Takeover methods detected June 2018 • Natanela Brod and Matan Pugach of the Technion, Israel • Fixed on June 25th 2018 • Fixed in the cloud • No formal announcement of fix • Skills can no longer be INVOKED (authorized or not) from locked screen • Adding functionality on locked screen is a slippery slope • Soon you find yourself allowing NON Microsoft code to run over locked screen 46
  • 48. Preventing Voice Attacks: Speaker Identification • Respond only to me • “try” doesn’t sound very reassuring • “Hey Cortana” can be easily recorded • Can be subverted, see other talk 48
  • 49. Preventing Voice Attacks: Compensating Controls Take 1 • Take 1: Put a security Microphone on each room? • Disadvantages: • Privacy • Cost • Audio directionality • Audio semantics • Not all attacks are audible • Detection only 49
  • 50. Preventing Voice Attacks: Compensating Controls Take 2 • NewSpeak: a Network-based Intercepting proxy • TLS/SSL certificate must be installed on monitored devices • In many organization already exists for web gateway monitoring, DLP • Can monitor all Cortana requests and responses • Origin details: IP, computer name, user, UI State, etc. • Request audio and Text to Speech results • Intents and Action cards • Can block or modify all Cortana requests and responses • Much better than previous suggestion: Centrally located, does not rely on audio analogic capture, can mitigate not just detect 50
  • 51. Network monitoring with NewSpeak 51 I’m the NewSpeak Proxy Hi Cortana! Go to cnn.com Browse http://www.cnn.com Browse http://www.foxnews.com
  • 54. Summary: Attacking Cortana 54 Cortana Service Speech to Text Text to Intent (Action) Cortana Skill Internet 3rd party web service Cortana Client Speech Text Text Intent + p Intent + p Card data Speech Text Resolve! Card Action Provider (Azure Bot) Intent to Card (Azure Bot) Expressing bad intents Local commands through Lock Screen Malicious skills Bad content provider
  • 55. Takeaways: Defenders • For the time being: • Disable Cortana voice in corporate environments • Or at least on locked screen • Reconsider when compensating controls are there • “voice firewall”: If voice becomes mainstream, considering specialized solutions is a must for corporate adoption 55 https://www.pcgamer.com/how-to-disable-cortana/
  • 56. Takeaways: Builders & Breakers • New interfaces are much more than “just an interface” • When introducing innovative concept into existing environments • Secure Coding is not enough • We need Secure System Engineering • We found 3 different CVEs and numerous issues that enables attackers to bypass the lock screen 56