Ah, from the "joys of new operating systems department..."

Jan. 31, 2007
Bryan Singer, from ISA's SP99 committee, sends along this gem: This is a cute little "feature" in the newly released Vista operating system. For your reading enjoyment, it always seems that the most obvious things are the last we think about when it comes to security! http://isc.sans.org/diary.html?storyid=2148 Article Text ----------------- Simon says: download backdoor.exe (or using Vista Speech Command for fun and profit) Published: 2007-02-01, Last Updated: 2007-02-01 11:49:20 UTC b...
Bryan Singer, from ISA's SP99 committee, sends along this gem: This is a cute little "feature" in the newly released Vista operating system. For your reading enjoyment, it always seems that the most obvious things are the last we think about when it comes to security! http://isc.sans.org/diary.html?storyid=2148 Article Text ----------------- Simon says: download backdoor.exe (or using Vista Speech Command for fun and profit) Published: 2007-02-01, Last Updated: 2007-02-01 11:49:20 UTC by Arrigo Triulzi (Version: 1) Once in a while security researchers ask themselves simple questions to which they sincerly hope the answer is "of course not!". This is the story of a question to which the answer is "oh my, this is fun!". On January 30th Sebastian Krahmer asked himself (out loud on the Dailydave mailing list) if Windows Vista Speech Command function could be used by a malicious website feeding a wav file which would speak commands to download malware. The idea is deceivingly simple: the wav file plays through the speakers, the microphone picks up the commands and the Speech Command happily executes them. A fascinating discussion ensued, George Ou went off to research the concept and, at the risk of spoiling the surprise, here is the result in George's fine words: "I recorded a sound file that would engage speech command on Vista, then engaged the start button, and then I asked for the command prompt. When I played back the sound file with the speakers turned up loud, it actually engaged the speech command system and fired up the start menu. I had to try a few more times to get the audio recording quality high enough to get the exact commands I wanted but the shocking thing is that it worked!" Oh dear. There are obviously a few obstacles to overcome to make this a viable attack like having to spell out a long URL so George tried to use the "tinyurl" service and indeed that worked just fine. The next question was whether it would work with untrained voices and George reported that it would happily work. The best picture in my mind of this attack vector is a large trading room, in the middle of the night, and one computer shouting out loud "start listening", "start", "internet explorer", "download ", etc. So, how about prevention? Well, the answer is that you should disable Speech Command for the time being or use it carefully and wait for Microsoft to issue a patch which ignore output from the computer's own speakers. For those who are old enough to remember: about 15 years ago Apple introduced voice commands for MacOS and it was great fun to shout behind someone's back "shutdown" to see the Mac happily go into its shutdown routine. This was patched a while back on MacOS, as you can probably imagine, but it was a great prank. Thanks to Gerrit Rothmaier for bringing it up at 08:42 this morning and dramatically improving my second espresso of the day.

Sponsored Recommendations

Measurement instrumentation for improving hydrogen storage and transport

Hydrogen provides a decarbonization opportunity. Learn more about maximizing the potential of hydrogen.

Get Hands-On Training in Emerson's Interactive Plant Environment

Enhance the training experience and increase retention by training hands-on in Emerson's Interactive Plant Environment. Build skills here so you have them where and when it matters...

Learn About: Micro Motion™ 4700 Config I/O Coriolis Transmitter

An Advanced Transmitter that Expands Connectivity

Learn about: Micro Motion G-Series Coriolis Flow and Density Meters

The Micro Motion G-Series is designed to help you access the benefits of Coriolis technology even when available space is limited.