Microsoft revealed “Recall” at its special event on May 20. This Copilot+ PC-exclusive feature promises to bring “photographic memory” to your PC, allowing you to go back to any application or file you’ve been working on. To combat privacy concerns, Microsoft published a page detailing how Recall works. However, security researchers strongly disagree with the company’s claims.
Kevin Beaumont, a cybersecurity expert, published a detailed post on the Medium blog where he goes into how Recall works. The verdict is pretty harsh: stealing everything you’ve watched or typed on your computer is now very easy.
Beaumont says the idea behind Recall is an interesting feature that requires “incredibly careful communication, cybersecurity, engineering and implementation.” Unfortunately, Recall claims to have none of these.
Although data processing and encryption really only takes place on the device, all this information is not immune to hackers and malware. Encryption will protect your data if an attacker doesn’t know your username and password, but things change when hackers get their hands on your credentials using identity thieves.
Recall works by taking screenshots of everything happening on your computer every few seconds. The system OCR (Optical Character Recognizer) then OCRs this data and places it in a database in the user folder. Everything is stored in plain text and no system rights are needed to access it.
They’ve tried to do a bunch of things, but none of them really work properly in the real world because of gaps where you can drive a plane through.
Kevin Beaumont created a website that can process a Recall database and instantly search anything in it. However, he put the project on hold until Microsoft ships it or perhaps does something to improve security. Kevin says, “the wider cyber community will have so much fun with this when it’s publicly available.”
Microsoft told the media that a hacker couldn’t hijack Copilot+ Recall activity remotely.
Reality: How do you think hackers are going to exfiltrate this plain text database of everything a user has ever looked at on their computer? Very easy, I have it automated.
HT Detective pic.twitter.com/Njv2C9myxQ
— Kevin Beaumont (@GossiTheDog) May 30, 2024
Things get worse when you find out what’s stored in your Recall database:
Everything the user has ever seen, sorted by application. Any part of the text that the user has seen, with some minor exceptions (eg Microsoft Edge InPrivate mode is turned off, but Google Chrome is not).
Any user interaction, such as minimizing a window. There is an API for user activity and third-party applications can be plugged in to enrich the data and view store data. It also stores all the websites you visit, even if they are third parties.
Customers should also be aware that deleting emails, messages, photos, files or anything else on your computer will not delete them from Recall – it remains there indefinitely or until manually deleted/overwritten.
Although Microsoft Defender is quite good at detecting information thieves and malware, ready-made malware can wipe the entire database before automatic detection begins.
Beaumont argued that Microsoft “needs to recall Recall” and redesign the feature to address any privacy concerns, especially in light of Satya Nadella’s words that engineers should prioritize security above any other priority.
You can read the full story on Kevin’s Medium post. If you still want to try Recall and see how it works, check out this third-party app that makes it possible to enable the feature on existing hardware (with caveats).
It remains to be seen how Microsoft will handle these revelations. For now, Recall is technically available in the Release Preview Channel of the Windows Insider program. It is expected to arrive for the general public with the first Copilot+ computers, such as the new Surface Pro and Surface Laptop.
