[Dailydave] [RGSPAM] Re: Vista speach recognition

Martin Roesch roesch at sourcefire.com
Wed Jan 31 10:16:07 EST 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

How about "watermarking" the audio?  Mix some ephemeral digital  
modulation into the speaker output that can be tied to the host  
computer's attributes (so it's unaffected by the user's data) which  
can then be detected by the mic and ignored 100% of the time.  If the  
computers are together in a room you could have some sort of  
resolution protocol so that the machines could ask each other for  
their current watermarks (or query the AD server) so that you  
wouldn't have the "kitchen scenario" necessarily work.

Overhead of implementing this might be a PITA but it's a fun thought  
experiment.

	-Marty

On Jan 31, 2007, at 12:34 AM, Robert Graham wrote:

> There are some easy defenses.
>
> Echo-cancelation software is pretty straightforward. It would be
> straightforward to remove anything coming out of the speakers from  
> being picked
> up by the microphone. Unfortunately, it would also be CPU intensive.
>
> Unfortunately, more and more households have multiple computer, so  
> while the
> echo-cancelation computer wouldn't get hit, another computer in the  
> room or
> down the hall might.
>
> The Logitech microphone on my desktop has a lighted-button that  
> shows when the
> microphone is on/off. That's one simple defense.
>
>
> --- George Ou <george_ou at lanarchitect.net> wrote:
>
>> It won't bypass UAC and it won't let you have the command prompt  
>> control.
>> You can open the command prompt but it won't actually run commands.
>> However, you can wake an idle speech system, interact with the  
>> desktop,
>> delete user files, and do all this without user interaction or ever
>> triggering UAC or Secure Desktop.  That sounds like a serious  
>> remote exploit
>> to me.  There are mitigating factors of course, but it's still pretty
>> serious.  I figured this was too obvious to be an exploit, but I  
>> figured
>> wrong.
>>
>>
>> George
>>
>>   _____
>>
>> From: Rich Mogull [mailto:rmogull-dd at securosis.com]
>> Sent: Tuesday, January 30, 2007 5:06 PM
>> To: George Ou
>> Cc: 'Dave Aitel'; dailydave at lists.immunitysec.com
>> Subject: Re: [Dailydave] Vista speach recognition
>>
>>
>> I just tested this on Vista and it works.
>>
>> Running Vista Ultimate in Parallels on my Mac I enabled voice  
>> commands, then
>> recorded a simple command and played it back. Using the mic and  
>> speakers on
>> my Mac the commands executed. Sound quality was actually terrible  
>> because of
>> poor Vista performance in the VM.
>>
>> But UAC seems to stop it. At the suggestion of Dave Maynor I tried  
>> to create
>> a new user account. The usual UAC window popped up and no voice  
>> commands
>> seemed to work.
>>
>> I suspect anything that avoids the "final" (greyed out background)  
>> UAC
>> dialogs will work, but looks like UAC stops it. At least in my  
>> quick test...
>>
>> -rich
>>
>>
>> On Jan 30, 2007, at 2:27 PM, George Ou wrote:
>>
>>
>> Voice command is autoloaded if you calibrate the system and enable  
>> Voice
>> commands. You can actually activate voice command mode by saying a  
>> certain
>> phrase. If this exploit works, you could say that phrase first and  
>> then
>> start your commands. Then you'd say "start", "cmd", "enter", then  
>> bark out
>> the commands you want. This assumes it works and that no one near  
>> the PC
>> gets suspicious :).
>>
>>
>> George
>>
>>   _____
>>
>> From: dailydave-bounces at lists.immunitysec.com
>> [mailto:dailydave-bounces at lists.immunitysec.com] On Behalf Of Dave  
>> Aitel
>> Sent: Tuesday, January 30, 2007 12:48 PM
>> To: dailydave at lists.immunitysec.com
>> Subject: Re: [Dailydave] Vista speach recognition
>>
>>
>> That's a great idea! If the Microsoft people have thought of it,  
>> no doubt
>> they ignore any sound coming out of the speakers, so you'll have  
>> to rely on
>> an echo effect. Essentially you can always win if your model of  
>> the acoustic
>> properties of the room is better than Vistas. :> Many speech  
>> recognition
>> systems I've seen require the user to press a button first, of  
>> course. :> I
>> haven't tested Vista's. I have, however, gotten CANVAS working on  
>> Vista. (
>> http://www.immunityinc.com/images/CANVAS_on_Vista.png). So far I  
>> recommend
>> it over Windows XP SP2 because I think they removed that broken  
>> limitation
>> from the TCP stack where you could only make 5 connections at once.
>>
>> Also, here is an article about Evgeny! ok. Not entirely about  
>> Evgeny. Mostly
>> about people buying bugs. For someone who's wife is a lawyer in  
>> this field,
>> there's a lot of "apparently legal" talk in it. It's just plain  
>> legal!
>> Everybody deal.
>> http://www.nytimes.com/2007/01/30/technology/30bugs.html?pagewanted=1
>> <http://www.nytimes.com/2007/01/30/technology/30bugs.html? 
>> pagewanted=1&_r=1>
>> &_r=1
>>
>> -dave
>>
>>
>> On 1/30/07, Sebastian Krahmer <krahmer at suse.de   
>> <mailto:krahmer at suse.de> >
>> wrote:
>>
>>
>> Hi,
>>
>> I am in no way an Win expert but recently I read that
>> vista will support commands as they are spoken by the user.
>> What about websites where the browser is playing wav or similar
>> audio files upon visiting? what if they contain spoken
>> commands? An exploit audio file which speaks something like
>> 'open shell' would be cool, eh?
>>
>> Sebastian
>>
>>
>> --
>> ~
>> ~ perl self.pl
>> ~ $_='print"\$_=\47$_\47;eval"';eval
>> ~ krahmer at suse.de - SuSE Security Team
>> ~
>>
>> _______________________________________________
>> Dailydave mailing list
>> Dailydave at lists.immunitysec.com
>> http://lists.immunitysec.com/mailman/listinfo/dailydave
>>
>>
>>
>> _______________________________________________
>> Dailydave mailing list
>> Dailydave at lists.immunitysec.com
>> http://lists.immunitysec.com/mailman/listinfo/dailydave
>>
>>
>>> _______________________________________________
>> Dailydave mailing list
>> Dailydave at lists.immunitysec.com
>> http://lists.immunitysec.com/mailman/listinfo/dailydave
>>
>
>
>
>
> ______________________________________________________________________ 
> ______________
> Want to start your own business?
> Learn how on Yahoo! Small Business.
> http://smallbusiness.yahoo.com/r-index
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>

- --
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFFwLK4qj0FAQQ3KOARAh4gAJ9ecbJYATUBnRK+wV9sq05DPIS2MgCeP8IJ
i1bv479R521tDS4Mz02K0AI=
=/eif
-----END PGP SIGNATURE-----

More information about the Dailydave mailing list