SlideShare a Scribd company logo

Alexa and Cortana in Windowsland - BSidesTLV, June 2019

Y
Yuval Ron

“Alexa and Cortana in Windowsland”: Hacking an Innovative Partnership and Other Adventures Hacking Windows machine through the Alexa / Cortana combination and other combinations. Taking over locked machines, breaking into account and stealing money - all through voice commands. Presented at BSidesTLV, by Yuval Ron and Amichai Shulman, on June 24, 2019.

Software
1 of 46
Download to read offline
Alexa and Cortana in Windowsland Hacking Innovative Partnerships and Other Adventures Presenters: Amichai Shulman and Yuval Ron
▪ Independent security researcher ▪ Advisor for several cyber security startups ▪ Former CTO and Co-Founder of Imperva ▪ Black Hat, RSA, InfoSec speaker ▪ @amichaishulman ▪ Master’s student at the Technion ▪ Researching voice assistant security for the past 2 years ▪ Speaker at Black Hat, Global AppSec ▪ @YuvalRonSec 2 Amichai Shulman Yuval Ron ACKNOWLEDGMENTS Prof. Eli Biham Computer Science Department, Technion Founding head of the Technion Hiroshi Fujiwara Cyber Security Research Center
AGENDA ▪ Introduction and Context ▪ Previous Results ▪ Cortana and Alexa ▪ Poking Holes in Cortana ▪ Cortana on Android ▪ Playing Ping Pong with Microsoft ▪ Conclusions 3Alexa and Cortana in Windowsland – Shulman / Ron
▪ Voice assistants everywhere ▪ Cortana / Alexa / Siri / Google Assistant ▪ Translate human intent into computer actions ▪ Retrieve data ▪ Browse the web ▪ Launch programs ▪ Hands-free operation ▪ Operates over locked screen Alexa and Cortana in Windowsland – Shulman / Ron 4 INTRODUCTION
CONTEXT ▪ 2 Years of Research ▪ Security Effects of Cortana over Locked Screen ▪ Including the Cortana-Alexa Integration on Windows 10 ▪ 17 Reported Vulnerabilities ▪ 2 CVE?!?!?! ▪ >50,000 USD in Bug Bounty 5Alexa and Cortana in Windowsland – Shulman / Ron
CORTANA ARCHITECTURE 6Alexa and Cortana in Windowsland – Shulman / Ron Speech to Text Text to Intent (Action) Cortana Skill Internet 3rd Party Web Service Action Provider (Azure Bot) Intent to Card (Azure Bot) Cortana Service Cortana Client Speech Resolve! Card Speech Card data Intent + p Text Text Intent + p
Speech to Text Text to Intent (Action) Cortana Skill Internet 3rd Party Web Service Action Provider (Azure Bot) Intent to Card (Azure Bot) CORTANA ARCHITECTURE - EXAMPLE 7Alexa and Cortana in Windowsland – Shulman / Ron Cortana Service Cortana Client Speech Resolve! Card Speech Card data Who is George WashingtonWho is George Washington Who is George Washington Search Query =“George Washington” Search Query =“George Washington”
CORTANA CLOUD SERVICE ▪ Processing and decision making is done in the cloud ▪ Two phases ▪ Audio processing – Speech to Text ▪ wss://websockets.platform.bing.com/ws/cu/v3 ▪ Binary + JSON ▪ Semantic processing – Text to Intent & Intent to Card ▪ https://www.bing.com/speech_render - GET request, HTML response ▪ https://www.bing.com/DialogPolicy - GET / POST request, JavaScript response ▪ Machine Learning ▪ Improve speech recognition ▪ Extend intent resolution capabilities 8Alexa and Cortana in Windowsland – Shulman / Ron
SEMANTIC PROCESSING PHASE 9Alexa and Cortana in Windowsland – Shulman / Ron
CORTANA SKILLS ▪ Cortana can be extended with cloud based “skills” ▪ A Skill is an Azure bot registered to the Cortana channel ▪ Receive all user input after an invocation name ▪ Interacts with the Cortana client using Cards that include voice, text and LIMITED COMMANDS 10Alexa and Cortana in Windowsland – Shulman / Ron
OUR JOURNEY STARTS HERE… April 2016: Cortana on Windows 10 Lock screen is released 11Alexa and Cortana in Windowsland – Shulman / Ron
Alexa and Cortana in Windowsland – Shulman / Ron TURNED ON BY DEFAULT 12Alexa and Cortana in Windowsland – Shulman / Ron
CORTANA AGENT Very fat client ▪ Can do a lot of stuff! ▪ Merely an execution engine ▪ Exposes a powerful JavaScript API Works on a locked devices ▪ SpeechRuntime.exe listens for “Hey Cortana” ▪ SearchUI.exe has the “Cortana Logic” 13Alexa and Cortana in Windowsland – Shulman / Ron
PREVIOUS RESULTS ▪ Voice of Esau ▪ https://www.youtube.com/watch?v=7AyW0lCCyGI ▪ https://www.digitaltrends.com/computing/microsoft-fixes-cortana-lock-screen-bug-malware/ ▪ Open Sesame (CVE-2018-8140) ▪ https://i.blackhat.com/us-18/Wed-August-8/us-18-Beery-Open-Sesame-Picking-Locks-with- Cortana.pdf ▪ The Skill of Death ▪ Others (by us and McAfee) ▪ https://www.windowslatest.com/2018/08/15/mcafee-discovers-new-windows-10-cortana- vulnerabilities-that-could-manipulate-locked-systems/ 14Alexa and Cortana in Windowsland – Shulman / Ron
Hey Cortana, Remind Me to Execute Arbitrary Code Alexa and Cortana in Windowsland – Shulman / Ron 15
PHOTO REMINDER Deadly combination? 16Alexa and Cortana in Windowsland – Shulman / Ron
REMINDER VULNERABILITY DEMO 17 Alexa and Cortana in Windowsland – Shulman / Ron
Hey Cortana, Remind Me to Execute Arbitrary Code ▪ Reported to MS on June 25th, 2018. ▪ MS fixed it via a server update on August 11th, 2018. ▪ MS removed the ability to add a photo and a contact person when in locked mode 18 AFTERBEFORE Alexa and Cortana in Windowsland – Shulman / Ron
Alexa and Cortana in Windowsland – Shulman / Ron 19 The “Alexa in Windowsland” Vulnerability Hacking the Cortana-Alexa Partnership on Windows 10
CORTANA AND ALEXA TEAM UP ▪ A surprising business partnership between Microsoft and Amazon ▪ “Hey Cortana, open Alexa” on Windows 10 ▪ “Alexa, open Cortana” on Amazon Echo devices ▪ Get the best of both worlds! ▪ Cortana users have access to more than 50,000 Alexa skills ▪ Alexa users can now use unique Cortana skills (Office products) ▪ Get the worst of both worlds? ▪ Alexa is not perfect! ▪ For example, Alexa vulnerability found by Checkmarx researchers (April 2018) 20Alexa and Cortana in Windowsland – Shulman / Ron
What could possibly go wrong?? 21Alexa and Cortana in Windowsland – Shulman / Ron
WEB BROWSING OVER LOCKED SCREEN ▪ Affects users that are not signed-in to Alexa ▪ Allows attackers to open a customized Internet Explorer browser above the Lock screen ▪ Potential attacks: ▪ Navigate to malicious websites – download and execute a browser exploit ▪ Take over users’ accounts like Facebook, Gmail, Twitter ▪ Using the browser’s cached credentials / session cookies 22Alexa and Cortana in Windowsland – Shulman / Ron
Alexa and Cortana in Windowsland – Shulman / Ron SIGN-IN TO ALEXA DEMO 23
WAIT, THERE’S MORE TO COME… 24Alexa and Cortana in Windowsland – Shulman / Ron SHOW ME THE MONEY!
Hey Cortana, Tell Alexa to Take My Money ▪ Exploiting the Alexa Donations skill on the lock screen ▪ “Hey Cortana, open Alexa – donate money to…” ▪ Donating up to 5,000$ (!) to an arbitrary charity 25Alexa and Cortana in Windowsland – Shulman / Ron
Hey Cortana, Tell Alexa to Take My Money ▪ Voice purchasing is turned on by default ▪ Voice code is turned off by default 26Alexa and Cortana in Windowsland – Shulman / Ron
Hey Cortana, Tell Alexa to Take My Money Attackers can turn this into a profitable venture by setting up fake charity accounts with Amazon. 27Alexa and Cortana in Windowsland – Shulman / Ron
“Alexa in Windowsland” - Timeline 28Alexa and Cortana in Windowsland – Shulman / Ron August 15, 2018 September 1, 2018 September 24, 2018 Official integration release We reported the vulnerability to MS Quick fix via cloud update Removal of Alexa from the lock screen
Alexa and Cortana in Windowsland – Shulman / Ron 29 Done with Alexa Going to Get Spotify
CORTANA + SPOTIFY INTEGRATION Sounds suspicious, right? 30Alexa and Cortana in Windowsland – Shulman / Ron
31Alexa and Cortana in Windowsland – Shulman / Ron
32Alexa and Cortana in Windowsland – Shulman / Ron
Alexa and Cortana in Windowsland – Shulman / Ron 33 Hey Cortana, Dial 1-800-HackMe
Alexa and Cortana in Windowsland – Shulman / Ron 34
Alexa and Cortana in Windowsland – Shulman / Ron 35 Hey Cortana, Hack My Android Phone
Cortana on Android Lock screen 36Alexa and Cortana in Windowsland – Shulman / Ron
Alexa and Cortana in Windowsland – Shulman / Ron Vulnerability Demo 37
Alexa and Cortana in Windowsland – Shulman / Ron 38 Playing Ping Pong with Microsoft
REPORT – FIX – REPORT AGAIN? ▪ Some vulnerabilities REQUIRED customer patch ▪ These were fixed quite efficiently and in a timely manner ▪ Some OBVIOUSLY required simple cloud patch ▪ These were fixed extremely fast in a VERY local manner ▪ We repeatedly found similar vulnerabilities in other skills ▪ Some needed a bigger change in the state of mind ▪ Fixes were applied after long time in a very local manner ▪ Some fixes were quickly worked around ▪ Some fixes were withdrawn in a hasty manner 39Alexa and Cortana in Windowsland – Shulman / Ron
Let’s Reset After addressing more than ten vulnerabilities: 40 Alexa and Cortana in Windowsland – Shulman / Ron “The team responded and advised me this is a result of them taking a conservative posture to and disabling virtually all skills above lock and only re-enabling them when we have proven they are safe to show above lock.” - MSRC, 16th November 2018
Let’s Reset 41 Alexa and Cortana in Windowsland – Shulman / Ron
… or Not? 42 Alexa and Cortana in Windowsland – Shulman / Ron
Alexa and Cortana in Windowsland – Shulman / Ron 43 Conclusions
Security vs. Convenience 44Alexa and Cortana in Windowsland – Shulman / Ron Security Convenience
CREATING SECURE SYSTEMS ▪ Ask the right questions at design time ▪ It is not all about code security ▪ It is actually more about proper interfaces ▪ Solve the root cause ▪ Linking to insecure URLs ▪ Displaying pages from partner sites ▪ Solve in the right place ▪ These capabilities should have been removed from the client side API 45Alexa and Cortana in Windowsland – Shulman / Ron
THANKS! Amichai Shulman @amichaishulman Yuval Ron @YuvalRonSec All demos are available on the YuvalRonSec YouTube channel

Recommended

Am i doing deployments right v2
Am i doing deployments right v2Am i doing deployments right v2
Am i doing deployments right v2
Matteo Emili
 
Alexa and Cortana in Windowsland - OWASP Global AppSec Tel-Aviv, May 2019
Alexa and Cortana in Windowsland - OWASP Global AppSec Tel-Aviv, May 2019Alexa and Cortana in Windowsland - OWASP Global AppSec Tel-Aviv, May 2019
Alexa and Cortana in Windowsland - OWASP Global AppSec Tel-Aviv, May 2019
Yuval Ron
 
Open Sesame: Picking Locks with Cortana
Open Sesame: Picking Locks with CortanaOpen Sesame: Picking Locks with Cortana
Open Sesame: Picking Locks with Cortana
Priyanka Aash
 
Open Sesame: Picking Locks with Cortana
Open Sesame: Picking Locks with CortanaOpen Sesame: Picking Locks with Cortana
Open Sesame: Picking Locks with Cortana
Tal Be'ery
 
THE VOICE OF ESAU: HACKING ENTERPRISES THROUGH VOICE INTERFACES
THE VOICE OF ESAU: HACKING ENTERPRISES THROUGH VOICE INTERFACES THE VOICE OF ESAU: HACKING ENTERPRISES THROUGH VOICE INTERFACES
THE VOICE OF ESAU: HACKING ENTERPRISES THROUGH VOICE INTERFACES
Tal Be'ery
 
AWS re:Invent 2016: Alexa in the Enterprise: How JPL Leverages Alexa to Furth...
AWS re:Invent 2016: Alexa in the Enterprise: How JPL Leverages Alexa to Furth...AWS re:Invent 2016: Alexa in the Enterprise: How JPL Leverages Alexa to Furth...
AWS re:Invent 2016: Alexa in the Enterprise: How JPL Leverages Alexa to Furth...
Amazon Web Services
 
ITB2019 Easily Build Amazon Alexa skills with ColdFusion - Mike Callahan
ITB2019 Easily Build Amazon Alexa skills with ColdFusion - Mike CallahanITB2019 Easily Build Amazon Alexa skills with ColdFusion - Mike Callahan
ITB2019 Easily Build Amazon Alexa skills with ColdFusion - Mike Callahan
Ortus Solutions, Corp
 
Design for X: Exploring Product Design with Apache Spark and GraphLab
Design for X: Exploring Product Design with Apache Spark and GraphLabDesign for X: Exploring Product Design with Apache Spark and GraphLab
Design for X: Exploring Product Design with Apache Spark and GraphLab
Amanda Casari
 

Recommended

Am i doing deployments right v2
Am i doing deployments right v2Am i doing deployments right v2
Am i doing deployments right v2
Matteo Emili
 
Alexa and Cortana in Windowsland - OWASP Global AppSec Tel-Aviv, May 2019
Alexa and Cortana in Windowsland - OWASP Global AppSec Tel-Aviv, May 2019Alexa and Cortana in Windowsland - OWASP Global AppSec Tel-Aviv, May 2019
Alexa and Cortana in Windowsland - OWASP Global AppSec Tel-Aviv, May 2019
Yuval Ron
 
Open Sesame: Picking Locks with Cortana
Open Sesame: Picking Locks with CortanaOpen Sesame: Picking Locks with Cortana
Open Sesame: Picking Locks with Cortana
Priyanka Aash
 
Open Sesame: Picking Locks with Cortana
Open Sesame: Picking Locks with CortanaOpen Sesame: Picking Locks with Cortana
Open Sesame: Picking Locks with Cortana
Tal Be'ery
 
THE VOICE OF ESAU: HACKING ENTERPRISES THROUGH VOICE INTERFACES
THE VOICE OF ESAU: HACKING ENTERPRISES THROUGH VOICE INTERFACES THE VOICE OF ESAU: HACKING ENTERPRISES THROUGH VOICE INTERFACES
THE VOICE OF ESAU: HACKING ENTERPRISES THROUGH VOICE INTERFACES
Tal Be'ery
 
AWS re:Invent 2016: Alexa in the Enterprise: How JPL Leverages Alexa to Furth...
AWS re:Invent 2016: Alexa in the Enterprise: How JPL Leverages Alexa to Furth...AWS re:Invent 2016: Alexa in the Enterprise: How JPL Leverages Alexa to Furth...
AWS re:Invent 2016: Alexa in the Enterprise: How JPL Leverages Alexa to Furth...
Amazon Web Services
 
ITB2019 Easily Build Amazon Alexa skills with ColdFusion - Mike Callahan
ITB2019 Easily Build Amazon Alexa skills with ColdFusion - Mike CallahanITB2019 Easily Build Amazon Alexa skills with ColdFusion - Mike Callahan
ITB2019 Easily Build Amazon Alexa skills with ColdFusion - Mike Callahan
Ortus Solutions, Corp
 
Design for X: Exploring Product Design with Apache Spark and GraphLab
Design for X: Exploring Product Design with Apache Spark and GraphLabDesign for X: Exploring Product Design with Apache Spark and GraphLab
Design for X: Exploring Product Design with Apache Spark and GraphLab
Amanda Casari
 
HIS 2015: Prof. Ian Phillips - Stronger than its weakest link
HIS 2015: Prof. Ian Phillips - Stronger than its weakest linkHIS 2015: Prof. Ian Phillips - Stronger than its weakest link
HIS 2015: Prof. Ian Phillips - Stronger than its weakest link
AdaCore
 
Stronger than its Weakest Link
Stronger than its Weakest LinkStronger than its Weakest Link
Stronger than its Weakest Link
Ian Phillips
 
Consumer Camp - Featuring Surface, Xbox, SkyDrive, and Win Phone
Consumer Camp - Featuring Surface, Xbox, SkyDrive, and Win PhoneConsumer Camp - Featuring Surface, Xbox, SkyDrive, and Win Phone
Consumer Camp - Featuring Surface, Xbox, SkyDrive, and Win Phone
Sarah Dutkiewicz
 
Telco: Voice-Command Personal Agent Service with AWS Cloud (MBL202) | AWS re:...
Telco: Voice-Command Personal Agent Service with AWS Cloud (MBL202) | AWS re:...Telco: Voice-Command Personal Agent Service with AWS Cloud (MBL202) | AWS re:...
Telco: Voice-Command Personal Agent Service with AWS Cloud (MBL202) | AWS re:...
Amazon Web Services
 
ITCamp 2013 - Andy Cross - Broadcasting Music from the Cloud
ITCamp 2013 - Andy Cross - Broadcasting Music from the CloudITCamp 2013 - Andy Cross - Broadcasting Music from the Cloud
ITCamp 2013 - Andy Cross - Broadcasting Music from the Cloud
ITCamp
 
Broadcasting music from the cloud
Broadcasting music from the cloudBroadcasting music from the cloud
Broadcasting music from the cloud
andyelastacloud
 
SV-IoT Meetup!
SV-IoT Meetup!SV-IoT Meetup!
SV-IoT Meetup!
Soracom Global, Inc.
 
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
RootedCON
 
The Datacenter Network You Wish You Had: It's yours for the taking.
The Datacenter Network You Wish You Had: It's yours for the taking.The Datacenter Network You Wish You Had: It's yours for the taking.
The Datacenter Network You Wish You Had: It's yours for the taking.
All Things Open
 
The Datacenter Network You Wish You Had
The Datacenter Network You Wish You HadThe Datacenter Network You Wish You Had
The Datacenter Network You Wish You Had
Jeremy Schulman
 
Kenta Yasukawa - IoT World 2018
Kenta Yasukawa - IoT World 2018Kenta Yasukawa - IoT World 2018
Kenta Yasukawa - IoT World 2018
Soracom Global, Inc.
 
Technical Exposure for IT Blue Prints
Technical Exposure for IT Blue PrintsTechnical Exposure for IT Blue Prints
Technical Exposure for IT Blue Prints
Muhammad Suleman
 
Country domination - Causing chaos and wrecking havoc
Country domination - Causing chaos and wrecking havocCountry domination - Causing chaos and wrecking havoc
Country domination - Causing chaos and wrecking havoc
Tiago Henriques
 
Wireless Cyber Warfare
Wireless Cyber WarfareWireless Cyber Warfare
Wireless Cyber Warfare
ideaflashed
 
The Strategic Impact of Buying vs Building in Test Automation
The Strategic Impact of Buying vs Building in Test AutomationThe Strategic Impact of Buying vs Building in Test Automation
The Strategic Impact of Buying vs Building in Test Automation
Element34
 
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit MilanWorkshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Neo4j
 
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
drm1699
 
Your Ultimate Web Studio for Streaming Anywhere | Evmux
Your Ultimate Web Studio for Streaming Anywhere | EvmuxYour Ultimate Web Studio for Streaming Anywhere | Evmux
Your Ultimate Web Studio for Streaming Anywhere | Evmux
evmux96
 
Abortion Pill Prices Turfloop ](+27832195400*)[ 🏥 Women's Abortion Clinic in ...
Abortion Pill Prices Turfloop ](+27832195400*)[ 🏥 Women's Abortion Clinic in ...Abortion Pill Prices Turfloop ](+27832195400*)[ 🏥 Women's Abortion Clinic in ...
Abortion Pill Prices Turfloop ](+27832195400*)[ 🏥 Women's Abortion Clinic in ...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
Encryption Recap: A Refresher on Key Concepts
Encryption Recap: A Refresher on Key ConceptsEncryption Recap: A Refresher on Key Concepts
Encryption Recap: A Refresher on Key Concepts
thomashtkim
 
A Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdfA Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdf
ICS
 
Abortion Clinic In Springs ](+27832195400*)[ 🏥 Safe Abortion Pills in Springs...
Abortion Clinic In Springs ](+27832195400*)[ 🏥 Safe Abortion Pills in Springs...Abortion Clinic In Springs ](+27832195400*)[ 🏥 Safe Abortion Pills in Springs...
Abortion Clinic In Springs ](+27832195400*)[ 🏥 Safe Abortion Pills in Springs...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 

More Related Content

Similar to Alexa and Cortana in Windowsland - BSidesTLV, June 2019

HIS 2015: Prof. Ian Phillips - Stronger than its weakest link
HIS 2015: Prof. Ian Phillips - Stronger than its weakest linkHIS 2015: Prof. Ian Phillips - Stronger than its weakest link
HIS 2015: Prof. Ian Phillips - Stronger than its weakest link
AdaCore
 
Stronger than its Weakest Link
Stronger than its Weakest LinkStronger than its Weakest Link
Stronger than its Weakest Link
Ian Phillips
 
Telco: Voice-Command Personal Agent Service with AWS Cloud (MBL202) | AWS re:...
Telco: Voice-Command Personal Agent Service with AWS Cloud (MBL202) | AWS re:...Telco: Voice-Command Personal Agent Service with AWS Cloud (MBL202) | AWS re:...
Telco: Voice-Command Personal Agent Service with AWS Cloud (MBL202) | AWS re:...
Amazon Web Services
 
ITCamp 2013 - Andy Cross - Broadcasting Music from the Cloud
ITCamp 2013 - Andy Cross - Broadcasting Music from the CloudITCamp 2013 - Andy Cross - Broadcasting Music from the Cloud
ITCamp 2013 - Andy Cross - Broadcasting Music from the Cloud
ITCamp
 
Kenta Yasukawa - IoT World 2018
Kenta Yasukawa - IoT World 2018Kenta Yasukawa - IoT World 2018
Kenta Yasukawa - IoT World 2018
Soracom Global, Inc.
 

Similar to Alexa and Cortana in Windowsland - BSidesTLV, June 2019 (14)

HIS 2015: Prof. Ian Phillips - Stronger than its weakest link
HIS 2015: Prof. Ian Phillips - Stronger than its weakest linkHIS 2015: Prof. Ian Phillips - Stronger than its weakest link
HIS 2015: Prof. Ian Phillips - Stronger than its weakest link
 
Stronger than its Weakest Link
Stronger than its Weakest LinkStronger than its Weakest Link
Stronger than its Weakest Link
 
Consumer Camp - Featuring Surface, Xbox, SkyDrive, and Win Phone
Consumer Camp - Featuring Surface, Xbox, SkyDrive, and Win PhoneConsumer Camp - Featuring Surface, Xbox, SkyDrive, and Win Phone
Consumer Camp - Featuring Surface, Xbox, SkyDrive, and Win Phone
 
Telco: Voice-Command Personal Agent Service with AWS Cloud (MBL202) | AWS re:...
Telco: Voice-Command Personal Agent Service with AWS Cloud (MBL202) | AWS re:...Telco: Voice-Command Personal Agent Service with AWS Cloud (MBL202) | AWS re:...
Telco: Voice-Command Personal Agent Service with AWS Cloud (MBL202) | AWS re:...
 
ITCamp 2013 - Andy Cross - Broadcasting Music from the Cloud
ITCamp 2013 - Andy Cross - Broadcasting Music from the CloudITCamp 2013 - Andy Cross - Broadcasting Music from the Cloud
ITCamp 2013 - Andy Cross - Broadcasting Music from the Cloud
 
Broadcasting music from the cloud
Broadcasting music from the cloudBroadcasting music from the cloud
Broadcasting music from the cloud
 
SV-IoT Meetup!
SV-IoT Meetup!SV-IoT Meetup!
SV-IoT Meetup!
 
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
 
The Datacenter Network You Wish You Had: It's yours for the taking.
The Datacenter Network You Wish You Had: It's yours for the taking.The Datacenter Network You Wish You Had: It's yours for the taking.
The Datacenter Network You Wish You Had: It's yours for the taking.
 
The Datacenter Network You Wish You Had
The Datacenter Network You Wish You HadThe Datacenter Network You Wish You Had
The Datacenter Network You Wish You Had
 
Kenta Yasukawa - IoT World 2018
Kenta Yasukawa - IoT World 2018Kenta Yasukawa - IoT World 2018
Kenta Yasukawa - IoT World 2018
 
Technical Exposure for IT Blue Prints
Technical Exposure for IT Blue PrintsTechnical Exposure for IT Blue Prints
Technical Exposure for IT Blue Prints
 
Country domination - Causing chaos and wrecking havoc
Country domination - Causing chaos and wrecking havocCountry domination - Causing chaos and wrecking havoc
Country domination - Causing chaos and wrecking havoc
 
Wireless Cyber Warfare
Wireless Cyber WarfareWireless Cyber Warfare
Wireless Cyber Warfare
 

Recently uploaded

Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
drm1699
 
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
Tomasz Kowalczewski
 
Community is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea GouletCommunity is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea Goulet
Andrea Goulet
 
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Lisi Hocke
 

Recently uploaded (20)

The Strategic Impact of Buying vs Building in Test Automation
The Strategic Impact of Buying vs Building in Test AutomationThe Strategic Impact of Buying vs Building in Test Automation
The Strategic Impact of Buying vs Building in Test Automation
 
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit MilanWorkshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
 
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
 
Your Ultimate Web Studio for Streaming Anywhere | Evmux
Your Ultimate Web Studio for Streaming Anywhere | EvmuxYour Ultimate Web Studio for Streaming Anywhere | Evmux
Your Ultimate Web Studio for Streaming Anywhere | Evmux
 
Abortion Pill Prices Turfloop ](+27832195400*)[ 🏥 Women's Abortion Clinic in ...
Abortion Pill Prices Turfloop ](+27832195400*)[ 🏥 Women's Abortion Clinic in ...Abortion Pill Prices Turfloop ](+27832195400*)[ 🏥 Women's Abortion Clinic in ...
Abortion Pill Prices Turfloop ](+27832195400*)[ 🏥 Women's Abortion Clinic in ...
 
Encryption Recap: A Refresher on Key Concepts
Encryption Recap: A Refresher on Key ConceptsEncryption Recap: A Refresher on Key Concepts
Encryption Recap: A Refresher on Key Concepts
 
A Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdfA Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdf
 
Abortion Clinic In Springs ](+27832195400*)[ 🏥 Safe Abortion Pills in Springs...
Abortion Clinic In Springs ](+27832195400*)[ 🏥 Safe Abortion Pills in Springs...Abortion Clinic In Springs ](+27832195400*)[ 🏥 Safe Abortion Pills in Springs...
Abortion Clinic In Springs ](+27832195400*)[ 🏥 Safe Abortion Pills in Springs...
 
Incident handling is a clearly defined set of procedures to manage and respon...
Incident handling is a clearly defined set of procedures to manage and respon...Incident handling is a clearly defined set of procedures to manage and respon...
Incident handling is a clearly defined set of procedures to manage and respon...
 
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
 
Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...
Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...
Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...
 
Evolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI EraEvolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI Era
 
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...Navigation in flutter – how to add stack, tab, and drawer navigators to your ...
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...
 
Community is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea GouletCommunity is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea Goulet
 
architecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdfarchitecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdf
 
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
 
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdfThe Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
 
Workshop - Architecting Innovative Graph Applications- GraphSummit Milan
Workshop - Architecting Innovative Graph Applications- GraphSummit MilanWorkshop - Architecting Innovative Graph Applications- GraphSummit Milan
Workshop - Architecting Innovative Graph Applications- GraphSummit Milan
 
Spring into AI presented by Dan Vega 5/14
Spring into AI presented by Dan Vega 5/14Spring into AI presented by Dan Vega 5/14
Spring into AI presented by Dan Vega 5/14
 
BusinessGPT - Security and Governance for Generative AI
BusinessGPT - Security and Governance for Generative AIBusinessGPT - Security and Governance for Generative AI
BusinessGPT - Security and Governance for Generative AI
 

Alexa and Cortana in Windowsland - BSidesTLV, June 2019

  • 1. Alexa and Cortana in Windowsland Hacking Innovative Partnerships and Other Adventures Presenters: Amichai Shulman and Yuval Ron
  • 2. ▪ Independent security researcher ▪ Advisor for several cyber security startups ▪ Former CTO and Co-Founder of Imperva ▪ Black Hat, RSA, InfoSec speaker ▪ @amichaishulman ▪ Master’s student at the Technion ▪ Researching voice assistant security for the past 2 years ▪ Speaker at Black Hat, Global AppSec ▪ @YuvalRonSec 2 Amichai Shulman Yuval Ron ACKNOWLEDGMENTS Prof. Eli Biham Computer Science Department, Technion Founding head of the Technion Hiroshi Fujiwara Cyber Security Research Center
  • 3. AGENDA ▪ Introduction and Context ▪ Previous Results ▪ Cortana and Alexa ▪ Poking Holes in Cortana ▪ Cortana on Android ▪ Playing Ping Pong with Microsoft ▪ Conclusions 3Alexa and Cortana in Windowsland – Shulman / Ron
  • 4. ▪ Voice assistants everywhere ▪ Cortana / Alexa / Siri / Google Assistant ▪ Translate human intent into computer actions ▪ Retrieve data ▪ Browse the web ▪ Launch programs ▪ Hands-free operation ▪ Operates over locked screen Alexa and Cortana in Windowsland – Shulman / Ron 4 INTRODUCTION
  • 5. CONTEXT ▪ 2 Years of Research ▪ Security Effects of Cortana over Locked Screen ▪ Including the Cortana-Alexa Integration on Windows 10 ▪ 17 Reported Vulnerabilities ▪ 2 CVE?!?!?! ▪ >50,000 USD in Bug Bounty 5Alexa and Cortana in Windowsland – Shulman / Ron
  • 6. CORTANA ARCHITECTURE 6Alexa and Cortana in Windowsland – Shulman / Ron Speech to Text Text to Intent (Action) Cortana Skill Internet 3rd Party Web Service Action Provider (Azure Bot) Intent to Card (Azure Bot) Cortana Service Cortana Client Speech Resolve! Card Speech Card data Intent + p Text Text Intent + p
  • 7. Speech to Text Text to Intent (Action) Cortana Skill Internet 3rd Party Web Service Action Provider (Azure Bot) Intent to Card (Azure Bot) CORTANA ARCHITECTURE - EXAMPLE 7Alexa and Cortana in Windowsland – Shulman / Ron Cortana Service Cortana Client Speech Resolve! Card Speech Card data Who is George WashingtonWho is George Washington Who is George Washington Search Query =“George Washington” Search Query =“George Washington”
  • 8. CORTANA CLOUD SERVICE ▪ Processing and decision making is done in the cloud ▪ Two phases ▪ Audio processing – Speech to Text ▪ wss://websockets.platform.bing.com/ws/cu/v3 ▪ Binary + JSON ▪ Semantic processing – Text to Intent & Intent to Card ▪ https://www.bing.com/speech_render - GET request, HTML response ▪ https://www.bing.com/DialogPolicy - GET / POST request, JavaScript response ▪ Machine Learning ▪ Improve speech recognition ▪ Extend intent resolution capabilities 8Alexa and Cortana in Windowsland – Shulman / Ron
  • 9. SEMANTIC PROCESSING PHASE 9Alexa and Cortana in Windowsland – Shulman / Ron
  • 10. CORTANA SKILLS ▪ Cortana can be extended with cloud based “skills” ▪ A Skill is an Azure bot registered to the Cortana channel ▪ Receive all user input after an invocation name ▪ Interacts with the Cortana client using Cards that include voice, text and LIMITED COMMANDS 10Alexa and Cortana in Windowsland – Shulman / Ron
  • 11. OUR JOURNEY STARTS HERE… April 2016: Cortana on Windows 10 Lock screen is released 11Alexa and Cortana in Windowsland – Shulman / Ron
  • 12. Alexa and Cortana in Windowsland – Shulman / Ron TURNED ON BY DEFAULT 12Alexa and Cortana in Windowsland – Shulman / Ron
  • 13. CORTANA AGENT Very fat client ▪ Can do a lot of stuff! ▪ Merely an execution engine ▪ Exposes a powerful JavaScript API Works on a locked devices ▪ SpeechRuntime.exe listens for “Hey Cortana” ▪ SearchUI.exe has the “Cortana Logic” 13Alexa and Cortana in Windowsland – Shulman / Ron
  • 14. PREVIOUS RESULTS ▪ Voice of Esau ▪ https://www.youtube.com/watch?v=7AyW0lCCyGI ▪ https://www.digitaltrends.com/computing/microsoft-fixes-cortana-lock-screen-bug-malware/ ▪ Open Sesame (CVE-2018-8140) ▪ https://i.blackhat.com/us-18/Wed-August-8/us-18-Beery-Open-Sesame-Picking-Locks-with- Cortana.pdf ▪ The Skill of Death ▪ Others (by us and McAfee) ▪ https://www.windowslatest.com/2018/08/15/mcafee-discovers-new-windows-10-cortana- vulnerabilities-that-could-manipulate-locked-systems/ 14Alexa and Cortana in Windowsland – Shulman / Ron
  • 15. Hey Cortana, Remind Me to Execute Arbitrary Code Alexa and Cortana in Windowsland – Shulman / Ron 15
  • 16. PHOTO REMINDER Deadly combination? 16Alexa and Cortana in Windowsland – Shulman / Ron
  • 17. REMINDER VULNERABILITY DEMO 17 Alexa and Cortana in Windowsland – Shulman / Ron
  • 18. Hey Cortana, Remind Me to Execute Arbitrary Code ▪ Reported to MS on June 25th, 2018. ▪ MS fixed it via a server update on August 11th, 2018. ▪ MS removed the ability to add a photo and a contact person when in locked mode 18 AFTERBEFORE Alexa and Cortana in Windowsland – Shulman / Ron
  • 19. Alexa and Cortana in Windowsland – Shulman / Ron 19 The “Alexa in Windowsland” Vulnerability Hacking the Cortana-Alexa Partnership on Windows 10
  • 20. CORTANA AND ALEXA TEAM UP ▪ A surprising business partnership between Microsoft and Amazon ▪ “Hey Cortana, open Alexa” on Windows 10 ▪ “Alexa, open Cortana” on Amazon Echo devices ▪ Get the best of both worlds! ▪ Cortana users have access to more than 50,000 Alexa skills ▪ Alexa users can now use unique Cortana skills (Office products) ▪ Get the worst of both worlds? ▪ Alexa is not perfect! ▪ For example, Alexa vulnerability found by Checkmarx researchers (April 2018) 20Alexa and Cortana in Windowsland – Shulman / Ron
  • 21. What could possibly go wrong?? 21Alexa and Cortana in Windowsland – Shulman / Ron
  • 22. WEB BROWSING OVER LOCKED SCREEN ▪ Affects users that are not signed-in to Alexa ▪ Allows attackers to open a customized Internet Explorer browser above the Lock screen ▪ Potential attacks: ▪ Navigate to malicious websites – download and execute a browser exploit ▪ Take over users’ accounts like Facebook, Gmail, Twitter ▪ Using the browser’s cached credentials / session cookies 22Alexa and Cortana in Windowsland – Shulman / Ron
  • 23. Alexa and Cortana in Windowsland – Shulman / Ron SIGN-IN TO ALEXA DEMO 23
  • 24. WAIT, THERE’S MORE TO COME… 24Alexa and Cortana in Windowsland – Shulman / Ron SHOW ME THE MONEY!
  • 25. Hey Cortana, Tell Alexa to Take My Money ▪ Exploiting the Alexa Donations skill on the lock screen ▪ “Hey Cortana, open Alexa – donate money to…” ▪ Donating up to 5,000$ (!) to an arbitrary charity 25Alexa and Cortana in Windowsland – Shulman / Ron
  • 26. Hey Cortana, Tell Alexa to Take My Money ▪ Voice purchasing is turned on by default ▪ Voice code is turned off by default 26Alexa and Cortana in Windowsland – Shulman / Ron
  • 27. Hey Cortana, Tell Alexa to Take My Money Attackers can turn this into a profitable venture by setting up fake charity accounts with Amazon. 27Alexa and Cortana in Windowsland – Shulman / Ron
  • 28. “Alexa in Windowsland” - Timeline 28Alexa and Cortana in Windowsland – Shulman / Ron August 15, 2018 September 1, 2018 September 24, 2018 Official integration release We reported the vulnerability to MS Quick fix via cloud update Removal of Alexa from the lock screen
  • 29. Alexa and Cortana in Windowsland – Shulman / Ron 29 Done with Alexa Going to Get Spotify
  • 30. CORTANA + SPOTIFY INTEGRATION Sounds suspicious, right? 30Alexa and Cortana in Windowsland – Shulman / Ron
  • 31. 31Alexa and Cortana in Windowsland – Shulman / Ron
  • 32. 32Alexa and Cortana in Windowsland – Shulman / Ron
  • 33. Alexa and Cortana in Windowsland – Shulman / Ron 33 Hey Cortana, Dial 1-800-HackMe
  • 34. Alexa and Cortana in Windowsland – Shulman / Ron 34
  • 35. Alexa and Cortana in Windowsland – Shulman / Ron 35 Hey Cortana, Hack My Android Phone
  • 36. Cortana on Android Lock screen 36Alexa and Cortana in Windowsland – Shulman / Ron
  • 37. Alexa and Cortana in Windowsland – Shulman / Ron Vulnerability Demo 37
  • 38. Alexa and Cortana in Windowsland – Shulman / Ron 38 Playing Ping Pong with Microsoft
  • 39. REPORT – FIX – REPORT AGAIN? ▪ Some vulnerabilities REQUIRED customer patch ▪ These were fixed quite efficiently and in a timely manner ▪ Some OBVIOUSLY required simple cloud patch ▪ These were fixed extremely fast in a VERY local manner ▪ We repeatedly found similar vulnerabilities in other skills ▪ Some needed a bigger change in the state of mind ▪ Fixes were applied after long time in a very local manner ▪ Some fixes were quickly worked around ▪ Some fixes were withdrawn in a hasty manner 39Alexa and Cortana in Windowsland – Shulman / Ron
  • 40. Let’s Reset After addressing more than ten vulnerabilities: 40 Alexa and Cortana in Windowsland – Shulman / Ron “The team responded and advised me this is a result of them taking a conservative posture to and disabling virtually all skills above lock and only re-enabling them when we have proven they are safe to show above lock.” - MSRC, 16th November 2018
  • 41. Let’s Reset 41 Alexa and Cortana in Windowsland – Shulman / Ron
  • 42. … or Not? 42 Alexa and Cortana in Windowsland – Shulman / Ron
  • 43. Alexa and Cortana in Windowsland – Shulman / Ron 43 Conclusions
  • 44. Security vs. Convenience 44Alexa and Cortana in Windowsland – Shulman / Ron Security Convenience
  • 45. CREATING SECURE SYSTEMS ▪ Ask the right questions at design time ▪ It is not all about code security ▪ It is actually more about proper interfaces ▪ Solve the root cause ▪ Linking to insecure URLs ▪ Displaying pages from partner sites ▪ Solve in the right place ▪ These capabilities should have been removed from the client side API 45Alexa and Cortana in Windowsland – Shulman / Ron
  • 46. THANKS! Amichai Shulman @amichaishulman Yuval Ron @YuvalRonSec All demos are available on the YuvalRonSec YouTube channel