Windows Vista includes a feature that lets people control their PC using voice, instead of a keyboard or a mouse. Could this be a security risk, possibly even the first serious vulnerability in the spiffy new Microsoft operating system? Some people think so.
The Daily Dave security mailing list has been abuzz on the topic. ZDNet technology blogger George Ou tried it out. "There are some mitigating factors, but there is no doubt this is still a serious exploit," he wrote Tuesday.
Here's how an attack would happen: the attacker creates an audio file with speech commands and puts the file up on a Web page. Intended victims are then lured to that site, which will automatically play back the audio. If the Vista user has the speech controls enabled and his microphone picks up the commands, the operating system will execute them, according to Ou and others.
Many factors can impact the success of such a prank, attack or whatever you want to call it. The biggest: speech control is not enabled by default and many people likely won't use it at all. Also, it could fail for numerous reasons--because of background noise, because speakers are off or turned down or because the microphone is too far away.
Ou said he managed to run an audio file that instructed the PC to start listening, open the file manager, access a folder, select some documents, delete those and empty the recycle bin.
When I tried to do something similar over speaker phone with colleague Robert Vamosi running Vista, it didn't even respond to the "start listening" command.
Our experiment may have failed because Vamosi's copy of Vista is trained to recognize his voice, so it didn't work with mine. (Vista makes you say a couple of phrases when setting up voice control.) Ou recorded his own voice and tested on his own machine.
Ou calls on Microsoft to add safety measures to Vista. Specifically, anything audio coming out of the PC itself should be disregarded by the speech command feature. Also, the speech feature (when enabled) should require a custom command to wake up and start listening for commands, instead of the fixed "start listening," he wrote.
Now, my 2 cents: this is not a critical security problem. Web sites are not going to bark commands at your Vista PC. This is much harder to exploit than it sounds. If you can be lured to a malicious Web site, there are much worse things an attacker could do. Still, it won't hurt to add some safeguards to the feature to stop pranksters. Pranks can be fun, but also very annoying, successful or not.
One contributor to the Daily Dave discussion said: "Here's $500 for the first documented case of someone using the white courtesy phone in an airport to page 'Mr Shootdown, Reese Sett, Sleep Now,' or whatever and blanking all the laptops in a concourse. An extra $500 if it's DC National." Funny! But I doubt it would work.