Dailydave: Re: Vista speach recognition

["George Ou" <george_ou () lanarchitect net>]

I don't see how it should be so computationally expensive.  Polycom does
their echo cancellation in software for their communicator product and it
doesn't cost a whole lot of CPU even on a low-end machine.  Microsoft
Windows Messenger does superb echo cancellation (much better than Skype
though they need to get a clue on firewall friendliness) when you're using
speakers and even a cheap desktop standing microphone and it didn't cost a
lot of CPU in the one gigahertz era.

There's just no reason that what comes out of a computer should be processed
back in by a speech recognition system EVEN if they implemented some sort of
password you have to speak.  But they haven't even implemented a password
and you can just playback "start listening" to wake the speech command
engine.  The multiple computer scenario would be a little more difficult to
defend against though it's a lot less likely.  Heck it could be a TV show
that barks out a kill-all-documents sequence.  I guess one way to defeat
that is to use the new multi-Mic technology in Vista to pin point a voice in
space and require the voice to be coming from there.

I've already successfully tested a full scenario where I recorded and played
back a file that:

1.  Woke the speech command engine.
2.  Open Windows Explorer.
3.  Highlight documents.
4.  Delete documents and confirm yes.
5.  Go to recycle bin on desktop.
6.  Tell it to empty the trash and confirm yes.

All this without triggering UAC or requiring user interaction.  If you want
a shorter sequence of commands as a gag; just say "start", "shutdown".  The
only thing I didn't do is put that sound file on a website with
auto-playback turned on and I know that technically trivial.



George


-----Original Message-----
From: Robert Graham [mailto:robert_david_graham () yahoo com] 
Sent: Tuesday, January 30, 2007 9:34 PM
To: George Ou; 'Rich Mogull'
Cc: dailydave () lists immunitysec com
Subject: Re: [Dailydave] Vista speach recognition

There are some easy defenses.

Echo-cancelation software is pretty straightforward. It would be
straightforward to remove anything coming out of the speakers from being
picked up by the microphone. Unfortunately, it would also be CPU intensive.

Unfortunately, more and more households have multiple computer, so while the
echo-cancelation computer wouldn't get hit, another computer in the room or
down the hall might.

The Logitech microphone on my desktop has a lighted-button that shows when
the microphone is on/off. That's one simple defense.


--- George Ou <george_ou () lanarchitect net> wrote:

> It won't bypass UAC and it won't let you have the command prompt control.
> You can open the command prompt but it won't actually run commands.
> However, you can wake an idle speech system, interact with the 
> desktop, delete user files, and do all this without user interaction 
> or ever triggering UAC or Secure Desktop.  That sounds like a serious 
> remote exploit to me.  There are mitigating factors of course, but 
> it's still pretty serious.  I figured this was too obvious to be an 
> exploit, but I figured wrong.
>  
>  
> George
>
>   _____
>
> From: Rich Mogull [mailto:rmogull-dd () securosis com]
> Sent: Tuesday, January 30, 2007 5:06 PM
> To: George Ou
> Cc: 'Dave Aitel'; dailydave () lists immunitysec com
> Subject: Re: [Dailydave] Vista speach recognition
>
>
> I just tested this on Vista and it works. 
>
> Running Vista Ultimate in Parallels on my Mac I enabled voice 
> commands, then recorded a simple command and played it back. Using the 
> mic and speakers on my Mac the commands executed. Sound quality was 
> actually terrible because of poor Vista performance in the VM.
>
> But UAC seems to stop it. At the suggestion of Dave Maynor I tried to 
> create a new user account. The usual UAC window popped up and no voice 
> commands seemed to work.
>
> I suspect anything that avoids the "final" (greyed out background) UAC 
> dialogs will work, but looks like UAC stops it. At least in my quick
test...
> -rich
>
>
> On Jan 30, 2007, at 2:27 PM, George Ou wrote:
>
>
> Voice command is autoloaded if you calibrate the system and enable 
> Voice commands. You can actually activate voice command mode by saying 
> a certain phrase. If this exploit works, you could say that phrase 
> first and then start your commands. Then you'd say "start", "cmd", 
> "enter", then bark out the commands you want. This assumes it works 
> and that no one near the PC gets suspicious :).
>
>
> George
>
>   _____
>
> From: dailydave-bounces () lists immunitysec com
> [mailto:dailydave-bounces () lists immunitysec com] On Behalf Of Dave 
> Aitel
> Sent: Tuesday, January 30, 2007 12:48 PM
> To: dailydave () lists immunitysec com
> Subject: Re: [Dailydave] Vista speach recognition
>
>
> That's a great idea! If the Microsoft people have thought of it, no 
> doubt they ignore any sound coming out of the speakers, so you'll have 
> to rely on an echo effect. Essentially you can always win if your 
> model of the acoustic properties of the room is better than Vistas. :> 
> Many speech recognition systems I've seen require the user to press a 
> button first, of course. :> I haven't tested Vista's. I have, however, 
> gotten CANVAS working on Vista. ( 
> http://www.immunityinc.com/images/CANVAS_on_Vista.png). So far I 
> recommend it over Windows XP SP2 because I think they removed that broken
limitation from the TCP stack where you could only make 5 connections at
once.
> Also, here is an article about Evgeny! ok. Not entirely about Evgeny. 
> Mostly about people buying bugs. For someone who's wife is a lawyer in 
> this field, there's a lot of "apparently legal" talk in it. It's just
plain legal!
> Everybody deal. 
> http://www.nytimes.com/2007/01/30/technology/30bugs.html?pagewanted=1
> <http://www.nytimes.com/2007/01/30/technology/30bugs.html?pagewanted=1
> &_r=1>
> &_r=1
>
> -dave
>
>
> On 1/30/07, Sebastian Krahmer <krahmer () suse de  
> <mailto:krahmer () suse de> >
> wrote: 
>
>
> Hi,
>
> I am in no way an Win expert but recently I read that vista will 
> support commands as they are spoken by the user.
> What about websites where the browser is playing wav or similar audio 
> files upon visiting? what if they contain spoken commands? An exploit 
> audio file which speaks something like 'open shell' would be cool, eh?
>
> Sebastian
>
>
> --
> ~
> ~ perl self.pl
> ~ $_='print"\$_=\47$_\47;eval"';eval
> ~ krahmer () suse de - SuSE Security Team ~
>
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
>
> > _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> http://lists.immunitysec.com/mailman/listinfo/dailydave


 
____________________________________________________________________________
________
Want to start your own business?
Learn how on Yahoo! Small Business.
http://smallbusiness.yahoo.com/r-index

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave