Hackers can take control of Cortana with voice commands, and you wouldn't hear it coming

Home Âğ cortana

Reading time icon 3 min. read

Calendar icon Published on

by Michael Allison 

published on

Share this article

Readers help support MSpoweruser. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help MSPoweruser sustain the editorial team Read more

Voice assistants are all the rage nowadays in the tech world, Apple has one, Google has one, Microsoft has one, Amazon has one, Samsung has one etc. They still aren’t all that useful at this stage and most people wouldn’t care if they vanished, and according to a security paper recently published, they might even be a system vulnerability.

Using a cheap hack called the Dolphin Attack (for reasons that will quickly become apparent) with $3 of equipment, security researchers were able to take control of Google Assistant, Alexa, and Cortana among others and issue inaudible voice commands which were then carried out. Now while the concept of inaudible voice commands sounds like an oxymoron, it isn’t. Voice assistants pay attention to a wide range of frequencies, including those as low as the 20khz range (humans can’t hear those), but machines can.

Keeping that in mind hack works like this, it sends voice commands at ultrasonic frequencies to the PC, this means that normal humans will be unable to hear these commands, while PCs and voice assistants will.

The researchers listed examples of actions they were able to carry out, simply by voice commands. These include:

  1. Visiting a malicious website. The device can open a malicious
    website, which can launch a drive-by-download attack or
    exploit a device with 0-day vulnerabilities.
  2. Spying. An adversary can make the victim device initiate
    outgoing video/phone calls, therefore getting access to the
    image/sound of device surroundings.
  3.  Injecting fake information. An adversary may instruct the victim
    device to send fake text messages and emails, to publish
    fake online posts, to add fake events to a calendar, etc.
  4.  Denial of service. An adversary may inject commands to turn
    on the airplane mode, disconnecting all wireless communications.
  5.  Concealing attacks. The screen display and voice feedback
    may expose the attacks. The adversary may decrease the
    odds by dimming the screen and lowering the volume.

Microsoft has expanded the power of Cortana to include system functionality like shutting down the computer, restarting or even locking it, and Cortana’s base functionality allows it to launch programs without confirmation. You can also use Cortana to call  While you probably won’t be able to do that much damage using Cortana alone on the average Windows PC, it is still a security oversight that is alarmingly easy to circumvent, especially with voice assistants in our phones, computers, and home appliances.

We’ve reached out to Microsoft for comment, and will update this article should they reply.

Michael Allison

Michael Allison Shield

Senior Editor

Senior editor at @MSpoweruser. Writes about all Windows 10, Skype, Surface, Edge. Also covers social media news.

User forum

0 messages