Launch of Copilot+ and Introduction of Recall
On May 20, Microsoft launched its latest Windows 11 PCs under the Copilot+ line. Among its new features, the Recall tool has drawn considerable attention from security experts and privacy advocates. Recall is designed to take regular snapshots of a user’s screen and make this information searchable. However, this feature has sparked a debate over potential security and privacy issues.
How Recall Operates
Recall takes snapshots of the computer’s screen every few seconds and stores these locally. Using optical character recognition (OCR), it extracts text from these images, storing it in an SQLite database in plain text. While the feature is meant to help users retrieve information displayed on their screens, it has raised concerns about unauthorized access.
Security Concerns Highlighted
Security researcher Kevin Beaumont demonstrated how Recall’s data could be easily stolen. By using an infostealer, Beaumont showed that the data could be exfiltrated quickly, even before Microsoft Defender for Endpoint could respond. He criticized Microsoft for enabling Recall by default, putting the onus on users to disable it. Beaumont also pointed out that attackers could re-enable Recall using PowerShell without the user’s knowledge.
Marc-André Moreau, another researcher, showed that passwords collected by Recall could be accessed from the unencrypted SQLite database, adding another layer of vulnerability.
Development of TotalRecall
Alexander Hagenah, a cybersecurity expert, created an open-source tool named TotalRecall. This tool can extract and display data from the Recall database, underscoring the ease with which sensitive information can be accessed. Hagenah expressed disappointment in Microsoft’s security approach and urged the company to address these issues before the official release.
TotalRecall automates the process of finding and extracting data from the Recall database on a laptop. It can filter data by date, making it easy for attackers to retrieve specific information quickly. This highlights the potential risks of unauthorized access to sensitive data.
Comparisons to Spyware
Recall has been compared to spyware or stalkerware due to its ability to monitor and record everything a user does on their device. Hagenah likened it to “Trojan 2.0,” emphasizing the potential misuse by malicious actors. His development of TotalRecall was intended to showcase the risks and push Microsoft to improve the feature’s security before its full release.
Privacy and Security Implications
Recall’s implications extend beyond individual privacy concerns. The database captures screenshots of everything on the desktop, including encrypted messages from apps like Signal and WhatsApp, potentially compromising secure communications. This data, revealing websites visited, emails, personal conversations, and other sensitive information, could be exploited by hackers or abusers with physical access to the device.
Beaumont’s research further demonstrated how easily vast amounts of information could be extracted from Recall. He even built a website to upload and search Recall databases instantly, though he withheld its release to give Microsoft time to address the vulnerabilities.
Microsoft’s Response and Future Actions
Microsoft has acknowledged the potential issues, stating that users can disable, pause, filter, and delete data collected by Recall. The feature operates entirely on the device, storing data locally and not transmitting it to Microsoft’s servers. However, the unencrypted database and lack of content moderation present significant risks.
The Recall database requires administrator rights to access, but privilege escalation attacks could allow attackers to gain remote access. Regulatory bodies, such as the UK’s Information Commissioner’s Office, have requested more details from Microsoft about Recall’s privacy implications.
Calls for a Redesign
Security experts, including Beaumont, recommend a comprehensive review and redesign of Recall. They argue that Microsoft should rework the feature to address security flaws and ensure it meets high standards for user privacy and data protection. Beaumont suggests delaying Recall’s release to deliver a more secure version and calls for a review of the decision-making process that led to the current situation.
