Windows 11 Recall Feature is a Privacy Nightmare; Major Security Flaw Surfaces

In Short
  • A security researcher has pointed out that the Recall database on Windows 11 can be easily accessed by malicious programs.
  • All the Recall activity data is stored in a SQLite database inside the AppData folder.
  • BitLocker encryption doesn't help since everything is decrypted after the user logs in.

Microsoft announced the Recall AI feature on Windows 11 with much fanfare at the Surface event recently. It’s the headline AI feature coming to Windows 11 version 24H2, and launching exclusively on Copilot+ PCs, powered by Snapdragon X series processors. Microsoft says Recall processing is done locally on the device using the dedicated NPU. And the Recall vector database is encrypted using BitLocker.

However, Kevin Beaumont, a security researcher, points out that the Recall feature is a security “disaster”. He says that the local Recall database can be easily hacked by malicious actors. The vector index is actually a SQLite database, saved inside the “AppData” folder. The researcher further demonstrates that the Recall database can be viewed in plain text as well.

Not only that, Beaumont mentions in his blog that the database can also be accessed by another user on the same PC which is a major concern. He further states that BitLocker encryption only helps in case someone steals your laptop and tries to access the Recall database.

However, after you are logged into your PC, all files and programs are decrypted. If you run a malicious program by mistake, it can access your Recall database and send all your sensitive data to a cloud checkpoint within seconds.

In most attacks, sensitive browser data including passwords, session tokens, and cookies are stolen by a type of malware called Info stealers. This kind of attack is increasingly rising as we have seen popular YouTube accounts getting hijacked by hackers.

To tackle this widespread problem, Google is working to bring DBSC (Device Bound Session Credentials) to Chrome, which will bind the session token with your device using TPM. So when companies are looking to close loopholes, Microsoft’s implementation of Recall raises several questions. With Recall, Microsoft is effectively opening a new attack vector for cybercriminals.

Beaumont says that he has already developed an automated exfiltration tool where you can upload the Recall database to find all the activity data. However, he is not releasing the tool and “deliberately holding back technical details until Microsoft ship the feature as I want to give them time to do something.”

Apart from that, keep in mind that Recall is not an optional feature, but it’s turned on by default. During the onboarding setup, you can’t disable it. You only have the option to enable a checkbox that will open Settings later on to adjust Recall preferences.

Zac Bowden says that Microsoft is actively discussing adding an option to disable Recall during the onboarding of new users. However, we have not heard anything from Microsoft so far. Today, at Computex 2024, Satya Nadella said the company is excited to bring Recall to Copilot+ PCs. It’s clear that Microsoft is not willing to disband the Recall feature.

What is your opinion on the Recall AI feature? Let us know in the comments below.

VIA The Verge
comment Comments 0
Leave a Reply