Israeli security experts have discovered a way to bypass the Lock Screen and the user password used to protect Windows 10 PCs by installing malware using voice commands taken over by the Cortana assistant
Even when Windows 10-based PCs are configured with a user account password and have the Lock Screen enabled, the voice command support service is still active and responds to some voice commands. With newer devices, the Cortana assistant can also be enabled from sleep mode. This behavior is intended, the role of Cortana being to respond to requests for information at any time and to carry out certain activities. However, the freedom left to Cortana's assistant to function and respond to commands behind the Lock Screen may have unexpected effects if Cortana does not refuse instructions that exceed the privileges of a restricted user account.
With physical access to the device, an attacker must first connect a USB stick that has the application you want to install. If necessary, the attacker can use the Cortana to connect to another WiFi network than the user configured. Also, with voice commands, you can turn on the web browser and access an insecure website to download and install infected applications without having to enter your password and override the Lock Screen menu
By setting up an attacker-controlled WiFi network, it is possible to further attract users into phishing attacks by directing HTTP connections to duplicate versions of legitimate sites, thereby obtaining bank account data and passwords
The good news is that Microsoft has already corrected the reported issues, the updated version of the Cortana service accepting web access requests directly when the Lock Screen is active. Still, Cortana still responds to commands applied in Lock Screen, and remains to be seen if there are other ways to get privileged access to Windows 10-based PCs.