http://news.bbc.co.uk/1/hi/technology/6320865.stm
"Microsoft has admitted that speech recognition features in Vista could be hijacked so that a PC tells itself to delete files or folders."
http://blogs.zdnet.com/Ou/?p=418 |
I didn't use Vista, but I doubt that the OS is permanently in listening mode. It would need too much processing power and it would be pointless if you're not using it. So I suppose you must do something (open an app, click a button) to activate it. |
> I didn't use Vista, but I doubt that the OS is > permanently in listening mode.
I didn't reproduce this of course, but ZDNet's George Ou writes: <<I have verified that I can create a sound file that can wake Vista speech recognition, open Windows Explorer, delete the documents folder, and then empty the trash.>> |
My old mobile also have this function. Say a name to make a call. Also IBM have a software to input chinese by voice. And need training process. So another people can not use my computer to input chinese. Also If I sick or tired, or childs so noisy. The computer can not understand me. Voice recognition is a good thing. Maybe vista become bright enough for without training. If Vista clever enough, it also will know the voice from owner or from the web page. Maybe it is a easy bug that everyone can make. |
"delete see slash windows slash system sixty four slash run dee el el dot sys" Yes, I can see the clear potential in this exploit. So basically, every single voice recognition software that somebody might use and has programmed for system maintenance tasks is vulnerable, but its Vistas's fault for providing it out of the box for users. Shame, I was always under the impression Blogoscoped wasn't on the same Anti-MS train like Slashdot etc. (and no, I am not a Windows user). |
What is it when, you talk to your self and then answer, oh right its, crazy. |
Yes, of course ... *I* could create a sound file that would "exploit" any Voice Recognition software to do anything that doesn't require admin approval ... on *MY* computer. Because I spent (too much) time training my computer to actually recognize my voice fairly well.
YOU, however, could not.
And voice recognition is hardly a feature you'll find enabled on many people's computers ... it's still too slow and inaccurate ... plus,
The coup de grace, however, is that anyone who uses speech recognition, couldn't possibly be using speakers that play sounds from web pages out loud enough to affect the speaker, or it would be completely useless ... they'd be taking dictation from looser on myspace ... |
This vulnerability was assigned as so-called BID22359 at Symantec's widely known vulnerability database: http://www.securityfocus.com/bid/22359
Microsoft's response and its advice are located at http://blogs.technet.com/msrc/archive/2007/01/31/issue-regarding-windows-vista-speech-recognition.aspx in turn.
|
Jaykul, I agree a couple of parameters need to be met. However, consider this; currently, I have my speakers on, and the microphone is next to the speaker. This is no fictional setup, it just happens that I use the mic for skype and I put it on the table when I don't use it, and I listed to iTunes music some hours ago but I'm not anymore, but the speakers are still on.
Furthermore, I suppose whatever sound file the cracker came up with is *prepared* to be clear-sounding pronounciation using simple commands (e.g. it's not like you're typing a free-style Word letter; it may be enough to execute commands).
Still, I agree it's not the most likely hack to happen. And as soon as a website starts to speak to me I hit Alt+F4... :) |