Two independent Israeli researchers found a way for an attacker to bypass the lock protection on Windows machines and install malware by using voice commands directed at Microsoft Cortana.

Microsoft Cortana is the AI-powered digital assistant that has one of its homes in Windows 10. It can do various tasks such as opening apps, doing simple math, suggest discount coupons. But an Israel-based researcher duo, Tal Be’ery, and Amichai Shulman have discovered another thing Cortana can do. It can provide cybercriminals a way to hack a Windows 10, even if it’s locked, according to Fossbytes.

The hackers can issue voice commands to Cortana and redirect the computer to non-HTTPS websites. The task is accomplished by attaching a USB network adapter to the target machine which intercepts the traffic and redirects the computer to the attacker’s malicious site to download malware.

Compromising a computer this way is possible because Microsoft Cortana includes functionality to listen and respond to some voice commands even when the computer is locked. Also, the researcher’s attack method was successful because Cortana allows direct browsing to websites. The hackers can simply use the mouse to connect the target PC to their preferred WiFi network. Motherboard reported.

What limits the scope of the attack is the fact that physical access to the target machine is required. However, physical access is required only for the first machine, not when amplifying the attack.

According to the Israeli duo researchers, an infected computer can further communicate with other machines on the local network. It can infect them with the help of a technique called ARP Poisoning tricking the machines on the local network to route their traffic through hacker’s network.

Microsoft was notified of the issue, and now all of Cortana’s internet requests pass through Bing. Cortana’s functionality to respond while a PC is locked remains unchanged. In case, you still have concerns, and you can disable Cortana on Windows 10 lock screen by visiting Settings Microsoft Cortana. Turn off the radio button that says “Use Cortana even when my device is locked.”

But determined minds are always in search of ways to compromise modern technologies. Hacking devices with the help of voice commands isn’t a new trick.

“We still have this bad habit of introducing new interfaces into machines without fully analyzing the security implications of it,” said Tal Be’ery.

The researchers are exploring further possibilities to exploit undiscovered vulnerabilities. And for other than voice commands, loopholes are yet to be discovered on new command interfaces – for instance, that use hand gestures.