Vista SP1 still vulnerable to speech recognition 'analog' hole

Vista SP1 still vulnerable to speech recognition 'analog' hole

Summary: A little more than a year ago, Sebastian Krahmer posted a question on the Dailydave security mailing list whether Vista's speech recognition was exploitable or not via malicious sound files that could be hosted on websites.  I was the first to answer his call with some initial skepticism but that turned in to astonishment when I ran some tests that confirmed the vulnerability.

SHARE:

A little more than a year ago, Sebastian Krahmer posted a question on the Dailydave security mailing list whether Vista's speech recognition was exploitable or not via malicious sound files that could be hosted on websites.  I was the first to answer his call with some initial skepticism but that turned in to astonishment when I ran some tests that confirmed the vulnerability.  Stories ran a few months ago before the finalization of Vista Service Pack 1 that SP1 would close this speech recognition vulnerability but I couldn't get any confirmation or denial from Microsoft after multiple queries.  I finally got tired of waiting and decided to test the exploit again with Vista SP1 RTM installed and found that the vulnerability still exists.

The test sound file I created managed to wake Vista speech recognition, highlight all the files on my desktop or all my pictures via Windows Explorer, and invoke the shift-delete command which wipes the files without the ability to undelete from the Recycle Bin.  I could also open Internet Explorer and invoke TinyURL addresses which in turn redirect to some other malicious executable.  While the damage is limited to the user space since Vista speech recognition can't get around the UAC prompt (assuming it's on), code execution in the user space is still a serious vulnerability.

When this story first got some traction last year, it stirred up some debate and controversy arguing over the seriousness of this exploit.  I had people privately and openly criticizing me saying this was a nonissue while others like Scott M. Fulton understood the seriousness of it called it the "low-tech" Vista exploit.  Others like Ryan Naraine and Thierry Zoller openly thought I was crying wolf and not to be taken seriously but I'm sure there are those in the disabled community who need to use speech recognition would vehemently disagree.  The bottom line is that while the vulnerability has zero impact to people who don't use speech recognition, it has full impact on people who do use speech recognition with a desktop microphone and speaker.  While this number is still rare, Microsoft wants to make this a mainstream feature and they should address the problem.  Otherwise why would Bill Gates declare speech recognition as a key feature of Windows Vista last year?

Last years I gave two simple recommendations for mitigating this vulnerability:

  1. Don't allow the generic "start listening" command to wake speech recognition.  Require some kind of keyword like "Jenny, start listening" if you decide to name your computer "Jenny" but you can name it whatever.  That at least breaks the generic and universal attack vector.
  2. Don't allow sound being played by the computer itself to be processed by the speech recognition engine.  While this doesn't stop neighboring computers, radios, TVs, or people nearby from shouting in to the computer, it does close off one key vector for this exploit.

I think most security experts would agree that these are reasonable security measures and more needs to be done in this research area.  Microsoft has had a year to implement some basic security mechanisms to mitigate this vulnerability in Vista Service Pack 1 but they haven't bothered with it.  In my opinion, this is very disappointing and a lost opportunity for Microsoft on the security front.  For now, the only thing users can do is disable Vista speech recognition and only use a headset if they need to use voice dictation and not the more convenient desktop microphone plus speakers.

Topics: Windows, Emerging Tech, Microsoft, Operating Systems, Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

19 comments
Log in or register to join the discussion
  • this is not a flaw

    this is not a flaw. If yes, then every speech recognition software would be vulnerable...
    qmlscycrajg
    • Oh really? Do all speech recognition applications let you wake them by

      Oh really? Do all speech recognition applications let you wake them by merely playing back a recorded voice command? If they did, would that excuse this vulnerability? You do realize that even the Apple Newton had a passphrase to unlock the system right?
      georgeou
      • Will this wake it if the machine is locked?

        Because if all it takes to stop this is have your machine drop to the login screen, then it's not much of an exploit.

        I do realize that many may not have their system go back to a password screen, but then again, most people don't have an active microphone and speakers. I'd wager that the vast majority of people who use voice recognition are using a headset with a boom mic.
        notsofast
  • All we need is the glowing red eye

    Hal, start listening...
    Robert Crocker
  • I don't understand the difficulty of security in this matter.

    With the DirectSound API and the OS utilizing the HAL abstraction layer, how difficult would it be to close up this gap?

    How many software packages utilize voice cancellation to prevent a constant echo over the the speakers from what the microphone picks up?

    Even preventing the browser from triggering sound when you visit a website would be nice. A sort of "Safe Browsing" mode rather than a continuous prompt.

    Perhaps Microsoft thinks that with UAC, the amount of damage that can be done is minimal to the system.
    nucrash
    • Who cares about the system?

      UAC may protect the system, but it does not protect your data. I'd rather lose the system than the data.
      Michael Kelly
      • Data

        I would rather lose the whole computer than my data. That's why they charge $1700-
        $2500 to save data on crashed drives.
        MacGeek2121
        • Or More

          Try losing an entire RAID array in UNIX.

          But the data is what you want, you will pay to get it back .
          nucrash
      • Yup, good point

        nt
        georgeou
    • Configuring Speech to require a unique name to wake would be very easy

      Configuring Speech to require a unique name to wake would be very easy and would hardly require any programming. Adding echo chancellation would require recoding the thing but MS already has echo feedback cancellation in other software so it's not like they don't know how to do it.
      georgeou
  • RE: Vista SP1 still vulnerable to speech recognition 'analog' hole

    Wow... still pushing this baloney?

    I know you guys probably have an editorial instruction to be anti-Microsoft, and certainly anti-Vista, but the least you could do is be honestly about your criticisms.

    Pretty pathetic.
    ThinkFr33ly
  • Call for the Code Talkers

    Maybe we need to get the Navajos to operate our computers for us.
    It worked in WWII.
    reedjjjr
  • How Many Exploits?

    Just out of curiosity, how many documented instances of this exploit have there been?

    Just wondering how many hackers are making use of it.
    ParrotHeadFL
  • This would make a great Apple guy / PC guy ad

    Apple Guy carrying a "boombox" plays the speach file and PC guy starts disapearing, limb by limb...
    phake
  • Vista SP1 still vulnerable to stupid users...

    There's a point where you'd have to just be stupid to be affected by this bug George. But I guess you don't get that.
    Narg
    • Tell that to the disabled person who needs speech commands

      Tell that to the disabled person who needs speech commands, but I guess you don't get that. Are you suggesting they're all "stupid" to have been born that way?
      georgeou
  • RE: Vista SP1 still vulnerable to speech recognition 'analog' hole

    Let a dead horse be dead.

    _r
    Ryan Naraine
    • How's it going Ryan? Looks like you're the same old Ryan.

      How's it going Ryan? Looks like you're the same old Ryan.
      georgeou
  • RE: Vista SP1 still vulnerable to speech recognition 'analog' hole

    I hate Vista Ultimate anyway, it doesent surprise me that it has floors, we pay microsoft to be BETA testers and take it on the ceek. Vista is a controlling heap of rubbish bring back the Amiga it could do evrything Vista could on 2 x 1 meg floppies and it was truly multi tasking and had artificial inteligence software, voice recognition and when you were done you just switched off, why do we accept such treatment for our hard earned cash, why do we need to move on when we have only just got the bugs sorted in XP Pro now we are talking about Windows 7 and more bugs to come, Sombody please resurect the Amiga a computer still years ahead of the old fashioned buggy PC, PCs are high maintenence I was far more productive with the Amiga, I find it hard to find software compatible with Vista so I am going back to XP pro so I can at least use my Ulead media suite. nuff said ..... Kev
    kevin.jp@...