Thursday, February 01, 2007

Security Exploits are not funny, but this still made me kind of laugh - Using Vista's Speech as a Remote Exploit

I know the answer (it's 42) - Vista speech command remote exploit

"...

However, today some one posted about using speech for remote exploit. The basic idea here is to make someone browse to a web-page which plays sounds which are actually commands to make the comp due interesting stuff. However, I think this is a very remote threat, but interesting nevertheless."

Last week I trained my notebook to better recognize my speech so I could better control my music player... ;)  So now I pretty much leave voice running... And as I've posted before, I think Vista's speech rocks and is very cool!

Still once I read the above post I starting thinking about this kind of exploit.

A TV program or commercial could be used to remote "do stuff" to all the Vista computers with speech on (think a 24 episode, "Start Listening"... "Start Windows Explorer"..."1"... "ok"... "Delete"... "Yes" and poof your Documents folder is gone) ? Or a radio show/commercial? Or someone speaking on a speaker phone? Standing next to your cube? You

While not likely I believe this IS possible. I'm thinking, about as possible as your cat walking over your keyboard and inadvertently doing something bad (been there, done that). And I kind of think the first we'll hear of this is when it happens accidentally ("We were having dinner, talking about work... and my computer started doing ...")

Just to be safe, I think I'm going to turn off Voice (Windows Speech Recognition) and only turn it on when I actually plan on using it (and turn if off when I'm done). No leaving it running all the time... Never hurts to be safe.

Still, as recognition gets better, I think this will need to be addressed (like instead of "Start Listening" to wake it up, a personalized verbal passpharse. And a timeout to make it go to sleep if it hasn't heard anything for XX minutes... etc)

2 comments:

Arnaud said...

That's impressive! So simple to do, and yet so powerfully harmful. As new technologies emerge, there's always a tweaked guy to use them badly...

Jon Galloway said...

My first professional programming job was a family business. The husband (my boss) would dictate specifications with some speech to text program, and occasionally his wife would pop her head in his office and say "File... Exit... Don't Save". She thought it was really funny, and I did too but had to keep it to myself since my boss didn't appreciate it too much...

My three year old knows to yell out "stop listening!!!" when she comes into my office to talk to me now.

It's definitely strange to have your computer listening all the time.