Windows 11 Recall Feature is a Privacy Nightmare; Major Security Flaw Surfaces

Microsoft announced theRecall AI featureon Windows 11 with much fanfare at the Surface event recently. It’s the headline AI feature coming toWindows 11 version 24H2, and launching exclusively on Copilot+ PCs, powered bySnapdragon X seriesprocessors. Microsoft says Recall processing is done locally on the device using the dedicated NPU. And the Recall vector database is encrypted using BitLocker.

However, Kevin Beaumont, a security researcher, points out that the Recall feature is a security “disaster”. He says that the local Recall database can be easily hacked by malicious actors. The vector index is actually a SQLite database, saved inside the “AppData” folder. The researcher further demonstrates that the Recall database can be viewed in plain text as well.Microsoft told media outlets a hacker cannot exfiltrate Copilot+ Recall activity remotely.Reality: how do you think hackers will exfiltrate this plain text database of everything the user has ever viewed on their PC? Very easily, I have it automated.HT detectivepic.twitter.com/Njv2C9myxQ— Kevin Beaumont (@GossiTheDog)May 30, 2024

Microsoft told media outlets a hacker cannot exfiltrate Copilot+ Recall activity remotely.Reality: how do you think hackers will exfiltrate this plain text database of everything the user has ever viewed on their PC? Very easily, I have it automated.HT detectivepic.twitter.com/Njv2C9myxQ— Kevin Beaumont (@GossiTheDog)May 30, 2024

Not only that, Beaumont mentions in hisblogthat the database can also be accessed by another user on the same PC which is a major concern. He further states that BitLocker encryption only helps in case someone steals your laptop and tries to access the Recall database.

However, after you are logged into your PC, all files and programs are decrypted. If you run a malicious program by mistake, it can access your Recall database and send all your sensitive data to a cloud checkpoint within seconds.

In most attacks, sensitive browser data including passwords, session tokens, and cookies are stolen by a type of malware called Info stealers. This kind of attack is increasingly rising as we have seen popular YouTube accounts getting hijacked by hackers.

To tackle this widespread problem, Google is working to bringDBSC (Device Bound Session Credentials)to Chrome, which will bind the session token with your device using TPM. So when companies are looking to close loopholes, Microsoft’s implementation of Recall raises several questions. With Recall, Microsoft is effectively opening a new attack vector for cybercriminals.Will release TotalRecall in a few days. Loads to play with and to work on.Thank you@GossiTheDogfor the inspiration!#WindowsRecall#CyberSecurity#Microsoft#TotalRecallpic.twitter.com/vm3qxienV1— Alex (@xaitax)June 2, 2024

Will release TotalRecall in a few days. Loads to play with and to work on.Thank you@GossiTheDogfor the inspiration!#WindowsRecall#CyberSecurity#Microsoft#TotalRecallpic.twitter.com/vm3qxienV1— Alex (@xaitax)June 2, 2024

Beaumont says that he has already developed an automated exfiltration tool where you can upload the Recall database to find all the activity data. However, he is not releasing the tool and “deliberately holding back technical details until Microsoft ship the feature as I want to give them time to do something.”

Apart from that, keep in mind that Recall is not an optional feature, but it’s turned on by default. During the onboarding setup, you can’t disable it. You only have the option to enable a checkbox that will open Settings later on to adjust Recall preferences.

Zac Bowdensaysthat Microsoft is actively discussing adding an option to disable Recall during the onboarding of new users. However, we have not heard anything from Microsoft so far. Today, at Computex 2024, Satya Nadella said the company is excited to bring Recall toCopilot+ PCs. It’s clear that Microsoft is not willing to disband the Recall feature.

What is your opinion on the Recall AI feature? Let us know in the comments below.

Arjun Sha

Passionate about Windows, ChromeOS, Android, security and privacy issues. Have a penchant to solve everyday computing problems.

Add new comment

Name

Email ID

Δ

01

02

03

04