Once in a while security researchers ask themselves simple questions to which they sincerly hope the answer is "of course not!".
This is the story of a question to which the answer is "oh my, this is fun!".
On January 30th Sebastian Krahmer asked himself (out loud on the Dailydave mailing list) if Windows Vista Speech Command function could be used by a malicious website feeding a wav file which would speak commands to download malware. The idea is deceivingly simple: the wav file plays through the speakers, the microphone picks up the commands and the Speech Command happily executes them.
A fascinating discussion ensued, George Ou went off to research the concept and, at the risk of spoiling the surprise, here is the result in George's fine words:
"I recorded a sound file that would engage speech command on Vista, then engaged the start button, and then I asked for the command prompt. When I played back the sound file with the speakers turned up loud, it actually engaged the speech command system and fired up the start menu. I had to try a few more times to get the audio recording quality high enough to get the exact commands I wanted but the shocking thing is that it worked!"
There are obviously a few obstacles to overcome to make this a viable attack like having to spell out a long URL so George tried to use the "tinyurl" service and indeed that worked just fine. The next question was whether it would work with untrained voices and George reported that it would happily work.
The best picture in my mind of this attack vector is a large trading room, in the middle of the night, and one computer shouting out loud "start listening", "start", "internet explorer", "download <some tinyurl>", etc.
So, how about prevention? Well, the answer is that you should disable Speech Command for the time being or use it carefully and wait for Microsoft to issue a patch which ignore output from the computer's own speakers.
For those who are old enough to remember: about 15 years ago Apple introduced voice commands for MacOS and it was great fun to shout behind someone's back "shutdown" to see the Mac happily go into its shutdown routine. This was patched a while back on MacOS, as you can probably imagine, but it was a great prank.
Thanks to Gerrit Rothmaier for bringing it up at 08:42 this morning and dramatically improving my second espresso of the day.
Feb 1st 2007
1 decade ago