Microsoft Vista Takes Orders From Anyone Who Yells At It

from the listen-up dept

As Microsoft pushes Vista out the door, the company has a lot riding on the claim that the new operating system is significantly better than previous versions of Windows, in terms of security. While there have been some scattered reports of flaws, which is always to be expected, many feel that the company has made good progress in securing its system. One new vulnerability comes from the fact that Vista has voice recognition capabilities, and that the user can speak commands to the computer through a microphone. George Ou decided to test the question of whether a website could play an audio file containing spoken commands and commandeer the user's computer. As it turns out, if the speech is clear enough, the computer will respond to commands that come out of its own speakers. The volume didn't even need to be too high. It's still not clear how much of a threat this really is. Many people won't even have this capability activated, and if you stumble onto a website that starts barking orders to your computer, you might realize something odd is going on. But, as with many online threats, an attacker doesn't need a high rate of success for a certain approach to be worthwhile. For Microsoft, it will probably be one of several security issues it will have to deal with down the road.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Gregg, 31 Jan 2007 @ 4:52pm

    Hopefully this will get the browsers to treat audio like pop-up ads, and request permission before playing them.

    link to this | view in chronology ]

  • identicon
    Greg, 31 Jan 2007 @ 4:59pm

    That is the most hilarious vulnerability I've seen in quite a while.

    link to this | view in chronology ]

  • identicon
    Chronno S. Trigger, 31 Jan 2007 @ 5:00pm

    Speech recognition

    if it was voice recognition this would not be a problem. you mean the speech recognition. outside of that I have nothing relevant to add

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 31 Jan 2007 @ 5:01pm

    Didn't this test require him to Record his OWN voice for it to work ?

    When they had someone else voice, Vista didn't do anything.

    Also is this any better then that Dragon software ?

    link to this | view in chronology ]

  • identicon
    Bumbling old fool, 31 Jan 2007 @ 5:01pm

    WooT

    I think I just invented the next wave of DRM installation. Have the song tell the computer to download it and install it.

    Don't like my drm content? How about a track on a CD taht just lists a whole bunch of websites?

    Nothing like a song singing about yahoo.com. how many browser windows can one song open? It can be like a contest amongst artists!

    link to this | view in chronology ]

  • identicon
    randum, 31 Jan 2007 @ 5:06pm

    this is the stupidest news article i have ever seen...

    link to this | view in chronology ]

    • identicon
      Pope Ratzo, 31 Jan 2007 @ 5:20pm

      Re:

      Can I call home and when my answering machine picks up, tell my computer to shut itself off?

      That's cool. I hope the format command is not in the list of voice-activated ones.

      "Please leave a message after the tone"

      "FDISK!!"

      link to this | view in chronology ]

  • identicon
    Jhecht, 31 Jan 2007 @ 5:06pm

    what in hell

    Who the hell needs voice recognition? I mean ok maybe for people who cannot use their hands and so on i can understand, but that should come as an accessory or something from microsoft if the user requests it to be installed. It shouldn't be automatically installed for everyone. Its just kind of a waste of time, and disk space.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 1 Feb 2007 @ 3:55am

      Re: what in hell

      That is why it is not installed by default of course.

      link to this | view in chronology ]

  • icon
    slimcat (profile), 31 Jan 2007 @ 5:38pm

    Vista voice recognition?

    Dear aunt, let's set so double the killer delete select all

    At this point in Vista's ability to recognize voice commands, I don't think I'd be too worried.

    link to this | view in chronology ]

  • identicon
    A non-slave IT guy, 31 Jan 2007 @ 6:02pm

    @what in hell, #7

    Tell you what. You type and I'll dictate into Dragon Naturally Speaking. Let's see who gets more done.

    Speech Recognition is not just for disabled persons, dweeb.

    I agree that the feature should not be installed by default. But if it works well and I did not have to pay something over and above my Windows cost, I'll be happy.

    link to this | view in chronology ]

  • identicon
    Stu, 31 Jan 2007 @ 6:05pm

    My guess is that if their computer said, "Bend over and drop your pants", a large number of people would do it - and they'd remain in that position until the damn thing told them to stand up and get dressed. Then, when their significant other found them in that position, they'd blame Microsoft.

    link to this | view in chronology ]

  • identicon
    Cleverboy, 31 Jan 2007 @ 6:07pm

    Oh come now...

    You don't see how it works? You just send out spam that promises "amazing tips" on how to master your computer's voice recognition. You encourage the user to try each tip as they go. About 5 tips in, its game time! "Minimize all windows! Select Desktop. Select All. Delete. Ok! Open My Computer. C. Select All. Delete. Ok! Parent Directory. C. Properties. Format Drive. Ok!" If the marks is anything like that teacher convictor for not shutting down spyware ads, then Vista users are doomed.

    link to this | view in chronology ]

  • identicon
    Brad, 31 Jan 2007 @ 6:11pm

    @A non-slave IT guy:

    You really think slower than you speak? You must be boring as hell to listen to. Personally, I can't imagine anyone calling themselves an "IT guy" that cant' type faster than they talk. Especially since revisions and changes to text is incredibly fast and easy with a keyboard, especially once you get beyond standard text and into programming (which you MUST do, IT guy).

    Tell you what, YOU dictate into Dragon Naturally Speaking and I'll write a Rails app. We'll see who gets more done.

    And voice command isn't installed OR activated by default. So really, this security "exploit" is less of a threat than dumb users ever will be.

    You can't issue shell commands through it, you can only open and close windows, do very basic tasks. If exploited...inconvenient? Yeah. A "threat"? Hardly. It's not like someone could use it to issue, let alone CREATE malware on a remote system.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 31 Jan 2007 @ 9:14pm

      Re:

      I normally speak about 3-400 words per minute, if you can type that fast you deserve a medal, but you have no place telling someone else that they aren't an "IT guy" because they can't beat the world record for typing speed.

      link to this | view in chronology ]

    • identicon
      Wizard Prang, 1 Feb 2007 @ 6:29am

      Settle down now...

      I can't imagine anyone calling themselves an "IT guy" that cant' type faster than they talk

      Some of the best programmers I know are NOT touch-typists. Perhaps that is because they think more and type less.

      I have been using Voice Recognition on and off since OS2 Warp. The only reason that I don't use it today is that the IT support folks won't let me install it. Since I don't write large amounts of prose, it's not a big deal.

      Also programming is not a task that lends itself to VR as well as, say, creative writing.

      So you're both right. Just because VR is not suitable for your particular application does not mean that it has no use.

      link to this | view in chronology ]

  • identicon
    Eric B~, 31 Jan 2007 @ 6:22pm

    Voice Commands

    I had a Laptop running CoPilot with a GPS antenna sitting on my passenger seat along with the radio turned on. I was standing outside the drivers side of the car stretching during a break from the roadtrip when the radio played some song that cause the CoPilot software to respond, "1,130 miles to Daytona".
    No one in the car but a conversation was in process!

    link to this | view in chronology ]

  • identicon
    give the dog a bone, 31 Jan 2007 @ 7:05pm

    "sit boo boo sit,good dog" woof!

    link to this | view in chronology ]

  • identicon
    Richard Bunker, 31 Jan 2007 @ 7:39pm

    the recursive clapper

    I have always wondered if a TV show with an applause soundtrack could cause "the clapper" to turn off the TV. I think this is a corollary to my earlier curiosity.

    link to this | view in chronology ]

  • icon
    rahrens (profile), 1 Feb 2007 @ 4:50am

    speech command

    Look, folks, my wife isn't much of a computer person, even if I am a geek. Her favorite saying is that once she can just speak to her computer to tell it what she wants to do, then she'll use if herself and not bug me to download her email.

    I don't think she's alone. I can think of a lot of things I'd like to be able to just speak the commands for without slowing myself down by having to type or use the mouse. Sure, at a certain level of working on the innards of a box you'll need to start typing, but 99% of a user's day could be made much more productive by good speech recognition. (Yeah the guy above is right, there is a world of diff between speech recognition and voice recognition!)

    And I think computers will someday be commanded much more by voice than keyboard. Voice is definitely a biometric, and combined with other biometrics, can be a good security system.

    link to this | view in chronology ]

  • identicon
    Deverill, 1 Feb 2007 @ 10:53am

    Other uses

    Something to consider is that this system understands windows commands. I saw a demo (YouTube) where a guy was doing stuff in Flash and instead of wasting screen real estate with a toolbar and having to mouse over to it again and again to change tools he was using the voice commands "pen" "select all" "convert to symbol"... AND the workspace was bigger because he didn't need the toolbar. I thought that was a good use for voice instead of just a replacement memo dictation taker.

    link to this | view in chronology ]

  • identicon
    Judy, 1 Feb 2007 @ 11:06am

    Commercials

    How about using the technology to make tv commercials pipe down?

    link to this | view in chronology ]

  • identicon
    |333173|3|_||3, 1 Feb 2007 @ 4:59pm

    downloader

    if the technology was integrated with IE well enough, then you could use it to download a file. If this was in the middle of a list of commands, which would have the effect of you trying to mute the computer, then you could get some malware without noticing.

    THe Speech recognition should have a feed from the sound card or if it added up the input to the sound card itself, and subtracted that from the audio-in, then they could reduce interference from music as well, which woul dbe a good thing.

    THe idea of talking into the command prompt might not be a bad one, but I would personnaly like you to have to have to start it with a parameter (typed) to allow voice recognition the only problem would be pronouncing some of the codes. A good API would be nice, so that you can say any menu item name, and it is selected, as well as activating all the inbuilt keyboard shortcuts (so you just say "Help")

    link to this | view in chronology ]

  • identicon
    1337fragger, 10 Feb 2007 @ 1:47pm

    LoL:

    "My Computer"
    "Enter"
    "AllYOURBASEAREBELONGTOUS"
    "Enter"

    LoL, it's like an IWIN button for computer hackarz.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.