Technion Students Discover Security Breach in Microsoft’s Voice-Activated Virtual Assistant

June 14, 2018
Kevin Hattori

The attack orchestrated by the students, led by Technion alumnus Amichai Shulman, allowed the “hackers” to seize control of a locked computer.

Students in the Computer Science Department at the Technion discovered a massive vulnerability in the security of Cortana, Microsoft’s virtual assistant. The attack will be presented at Black Hat USA 2018 (which will take place August 4-9 in Las Vegas) – after Microsoft has corrected the problem using information provided by the Technion team.

Technion students Ron Marcovich (left) and Yuval Ron

Cortana is a virtual assistant that allows users to operate their computer, smartphone, or smartwatch using voice commands. Microsoft’s Israel-based R&D center was involved in the program’s original development before it was unveiled at Microsoft’s global developers’ conference in 2014.

Students Ron Markovich and Yuval Ron discovered the problem with Cortana as part of the Technion undergraduate course Information Security Project, taught by Amichai Shulman and Professor Eli Biham. Shulman completed both his undergraduate and master’s degree in the Technion Computer Science Department and has served as an external lecturer for this course ever since while contributing extensively to the field of data security the private sector.

The idea to attempt a breach of Cortana began with a conversation between Shulman and his daughter, who also works in the field, about creative computer security attacks. It inspired Shulman and his partner, security expert Tal Be’ery, to brainstorm cyber-attacks that did not involve malware, leading them to consider voice-activation features of computerized systems.

In recent semesters, a number of student teams in the Technion Computer Science Department have worked on projects involving the security of virtual assistants. This past semester, Markovich and Ron succeeded in breaching Cortana. They were able to take control of a locked computer and download an external file, enabling them to control all of the computer’s operations. They reported their findings to Microsoft, who will distribute a patch to protect against this form of attack.

The innovation in the method used by Markovich and Ron lies in the use of a voice interface to bypass security features. It allows for a security breach without any actual damage. According to Shulman, this is the second time a security vulnerability has been discovered through this student project. The first one, which also allowed control of a locked computer through a voice-command system, was presented at the Kaspersky Security Analyst Summit in March of 2018.

“This recent breach is even more dramatic,” said Shulman. “And I predict that this coming semester more teams will present significant findings regarding the dangers of combining a voice-command system with classical computer systems.”

Amichai Shulman served in the IDF communications corps, where he worked on systems security, and founded cybersecurity leader Imperva. He is now a consultant for information security companies. A number of student groups he advised at the Technion have won prestigious awards for their projects, including one cited by the New York Times in 2012. As part of that project, the students attacked 40 different antivirus products with 82 different viruses, discovering that the antivirus programs had an average success rate of only 5%. Another project won the Amdocs Best Project Prize and gained attention for demonstrating a method of using Google’s search engine to systematically attack websites.

Professor Eli Biham is the head of the Technion’s Hiroshi Fujiwara Cyber Security Research Center. He is the leading instructor for all cybersecurity courses, including the Information Security Project, in which students work on a wide range of projects within the field of information security.

For more than a century, the Technion-Israel Institute of Technology has pioneered in science and technology education and delivered world-changing impact. Proudly a global university, the Technion has long leveraged boundary-crossing collaborations to advance breakthrough research and technologies. Now with a presence on three continents, the Technion will prepare the next generation of global innovators. Technion people, ideas and inventions make immeasurable contributions to the world, innovating in fields from cancer research and sustainable energy to quantum computing and computer science to do good around the world.

The American Technion Society supports visionary education and world-changing impact through the Technion-Israel Institute of Technology. Based in New York City, we represent thousands of US donors, alumni and stakeholders who invest in the Technion’s growth and innovation to advance critical research and technologies that serve the State of Israel and the global good. Over more than 75 years, our nationwide supporter network has funded new Technion scholarships, research, labs and facilities that have helped deliver world-changing contributions and extend Technion education to campuses on three continents.