Network News

X My Profile
View More Activity

Birth of the Verbal Hack?

Microsoft Corp. said Wednesday that a voice-recognition feature built into Vista -- the new version of Windows that went on sale this week -- could be exploited remotely to delete files on a victim's machine if he or she visited a Web site that tried to issue specific commands through the computer's audio system.

Online computer security forums were abuzz this week with discussions of ways to exploit the new feature. In the DailyDave online security newsgroup, one commenter described a successful test in which he managed to delete his entire "My Documents" folder using the voice command feature. An attack recorded as an audio file and automatically played when a user visits a malicious Web site could have the same effect, security experts said.

Microsoft noted that the voice-recognition feature is not turned on by default in Vista, and that such an attack would be extremely difficult to execute.

In a posting on its security Web site, Microsoft said a targeted system "would need to have the speech recognition feature previously activated and configured. Additionally the system would need to have speakers and a microphone installed and turned on. The exploit scenario would involve the speech recognition feature picking up commands through the microphone such as 'copy,' 'delete,' 'shutdown,' etc. and acting on them. Of course this would be heard and the actions taken would be visible to the user if they were in front of the PC during the attempted exploitation. There are also additional barriers that would make an attack difficult including speaker and microphone placement, microphone feedback, and the clarity of the dictation."

While Microsoft said the feature could be exploited to delete a victim's documents, it pointed out that a key component of security on Vista -- the "user account control" (UAC) feature that requires a user to enter his or her password before making any significant changes to the system -- would prevent an attacker from, installing software or creating new user accounts on the victim's PC.

Rich Mogull, a security analyst with Gartner Inc., said he doubts that many users will bother to configure and run the voice command feature in Vista, and even for those who do the real threat of falling victim to such an attack would be fairly low.

Still, Mogull said, "if they are running it, and someone can get the right kind of file to play when no one is looking, yep- you could do nasty stuff."

My personal favorite perspective on this comes from the venerable security guru Dan Geer, who offered the following challenge on the DailyDave list:

"Here's $500 for the first documented case of someone using the white courtesy phone in an airport to page Mr Shootdown, Reese Sett, Sleep Now, or whatever and blanking all the laptops in a concourse. An extra $500 if it's DC National..."

By Brian Krebs  |  February 1, 2007; 10:50 AM ET
Categories:  Fraud , From the Bunker , Latest Warnings , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: In Praise of Phish Fighters
Next: Retailers, Banks Trade Blame in Data Thefts


Gotta love Microsoft's defense -- "this attack will only work if you're actually -using- the super-duper cool features that we put into the OS to try to con you into buying it..."

Posted by: JoeBleux | February 1, 2007 1:38 PM | Report abuse


You deserve to get your Documents deleted if your not using a noise reducing heardset that is directional, at very least.
With a normal mic, you pick up all sorts of background noise.

Posted by: Yert | February 1, 2007 2:27 PM | Report abuse

How good IS the Vista sound recognition though? Are we talking about Star trek good?

"Computer, stop telling my what to do!"


Are we talking about like when I'm trying to voice dial with my cell phone and end up getting frustrated about having to say "Call mom" about 10 times before it finally gets Call "BOB" and i have to say NO and it starts all over again. Or even worse if it accepts Go as an answer instead of only NO then I now have a confused best friend wondering why i am calling him Mom.

Posted by: Lordneeko | February 1, 2007 2:29 PM | Report abuse

I remember a Dilbert cartoon from a number of years ago when Wally stood behind a headset-wearing Dilbert, & emphasized the words "delete" & "files" as they talked... .
The man is truly a seer!

Posted by: jon | February 1, 2007 2:30 PM | Report abuse

"Gotta love Microsoft's defense -- "this attack will only work if you're actually -using- the super-duper cool features that we put into the OS to try to con you into buying it...""

So the FUD begins.

If you have an understanding of what has to be done for this to work, then you would also understand that it is more likely that you will be bitten by a spider and become Spiderman.

Cynics, like Joe, do nothing but spread their dislike for Microsoft. When, in fact, the blame should be, most often, on the third party driver and software manufacturer and the user.

Yes, as it turns out, no matter how secure an operating system is made, the hole that can not be patched is the user.

The are so many steps that must be in just the right place at just the right time for this to work, that I'm sure we will never hear of a documented occurrence of it really happening.

So, this is FUD.

Since 95.9% of computer users world wide are using some form of Windows (see Forbes reference here, don't you think it is better to help educate them on the proper use and protection of their system then copping out by blaming Microsoft for everything?

Posted by: Mike | February 1, 2007 2:42 PM | Report abuse

I just got Vista Ultimate installed on a Macbook Pro using VMware Fusion, and it works fine, albeit not as fast as I'd like. Overall, I'm impressed with the accuracy and ease of use with Vista's speech recognition software. It even catches commands and dictation very well using the Macbook's built-in mic, which surprised me. I will be dictating a blog post tomorrow, so I'll probably have a fuller review of the functionality then.

Posted by: Bk | February 1, 2007 2:47 PM | Report abuse

It's not FUD. It's comedy.

Posted by: Alan | February 1, 2007 2:55 PM | Report abuse

Agreed with Jon.
I suppose it is possible I could get drunk, fall asleep on my house key, leave an imprint in my face that is later copied in wax by an evil henchmen and therefore owning keys is a security threat to my house.


This should not be classed as a security threat but rather a stupidity threat.

Posted by: Pete | February 1, 2007 3:01 PM | Report abuse

Mike, by all means, please feel free to de-FUD this.

My understanding is that what is needed is VR configured, speaker and mic on. Then a malicous website plays an appropriately malicious audio command that's executed. For optimal effect, a delayed pop-under would be best so that there's a better chance the user's gone when it executes.

No? DeFUD away...

Posted by: JoeBleux | February 1, 2007 3:01 PM | Report abuse

And, by the way, I am not saying that this is an earth shattering security problem; I just commented that Microsoft's response was particularly lame.

Don't freak out. I'm sure your Microsoft stock will be fine.

Posted by: JoeBleux | February 1, 2007 3:04 PM | Report abuse

I'm on the no-FUD bandwagon...

This exploit requires that the user be running VR and have speakers and a mic enabled. But if a user is using VR, wouldn't it stand to reason that they WOULD leave their mic and speakers enabled for convenience?

Posted by: Paul S | February 1, 2007 3:35 PM | Report abuse

Talk about absurd. This is like saying - "oh Vista has a security hole in it because if you leave you machine running when you go to take a leak, someone can walk by and do malicious things to your desktop." Duh!

This is not a securty flaw in the OS - its a flaw in the user.

Posted by: Dravid | February 1, 2007 4:05 PM | Report abuse

I thought that when you set up the voice recognition software, it took about 20 minutes to "learn" the way you speak.

The one guy who did manage to do this obviously was using his own voice, and im guessing that he also "taught" the computer with that voice. So yeah, it would be possible to do it to yourself, on your own computer.

However, i am from scotland, i have an accent that few of you in Yankville would understand, let alone be able to copy accurately enough to get my computer to think you are me.

Im sure the same thing exists in america too, people from washington dont sound like people from alabama.

It seems to me like the only security threat posed here is if you have your voice stolen.

Posted by: fuse5k | February 2, 2007 6:19 AM | Report abuse

@ Mike:
>>Cynics, like Joe, do nothing but spread their dislike for Microsoft.

"The power of accurate observation is commonly called cynicism by those who have not got it." -- George Bernard Shaw

I will, however, give Microsoft credit for not in fact enabling this function in Vista by default. Phew, one bright spot. Maybe some in Microsoft's management are starting to 'get' that "default-disable" of "functionality" is the way to go? Maybe they learned from the experience of speech recognition being enabled by default on XP RTM?

OTOH, it could simply be an accident in our favor.

Posted by: Mark Odell | February 2, 2007 12:08 PM | Report abuse

Until everyone realizes security flaws are bad, your all gonna continue to come to microsoft's defence, which means you all will have computers that are not secure.

What standards do you people want, expensive unsecure computers? Bill claims he spent 6 billion dollars on the goes on to claim Vista as the most secure system, while the NSA provides their involvement, and you get voice activated hacking...

You people are sitting in a pot of boiling water and don't know when to leap out...

Vista is about DRM, taking awa your rights, and it appears most of you don't even care about liberty, rights and freedom.

Here's a suggestion, what would happen is intellectual property rights was to be removed, allowing everyone to share the benefits in society so nobody would be left out, disadvantaged...

Maybe then we wouldn't have capitalism, no more corporate greed, lawsuits and hungry people...

Yes indeed, what kind of world would we have then, we everyone no longer works for money, too!

Hard to imagine when your stuck on owning the world's wealth, that is less than 1% of the rich owning 40% of the world's wealth....

Posted by: John Wayne | February 2, 2007 9:29 PM | Report abuse

You've all forgotten who the speech features were designed for: People with physical impairments that keep them from using a keyboard; I know several such folk. The lack of this support built into the OS has been a sore point for people with disabilities.

Third-party speech recognition software has been available for a LONG time; I believe it's even available for OSX.

There is a very old post about the hazards of speech recognition on the COMP-RISKS digest, so the problem posted isn't new at all.

Perhaps we should regret that Apple didn't invent that technology.

Take care,

Posted by: David Moisan | February 5, 2007 4:41 PM | Report abuse

Good day! 

Not sure if this is the right place to post this, but here is the story of my dog called Shandy.
He was my favourite pet and he was very lively, lots of fun and very obedient. His main
passion in life was to be taken for a long walk, culminating with a big run out in his favourite
park. I would try to take him on this walk everyday, weather permitting. The park itself
was about three miles away from our house. What do you think?

Wow, I've found the same to be true too!  Where did you get that at?  

See you soon! WonderGirl 

[url=]how I make money with paid surveys[/url]

Posted by: wendywonder | February 6, 2007 9:50 PM | Report abuse

"BLAH BLAH BLAH... Microsoft is bad, they ruin everyone's lives."

Blaming Microsoft IS A HUGE COP-OUT. I can't even believe that something this stupid is even being considered a security threat. It should be in there with knocking people out before they get a chance to lock their computer.
Most of these "security threats" are obscure events that rely on the user making some kind of stupid mistake, but Microsoft still deals with it by releasing security updates to try and baby people more and more through the use of their computer.

Posted by: topdog | February 16, 2007 2:40 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company