Microsoft’s Recall feature has been criticized heavily by pretty much everyone since it was announced last month. Now, researchers have demonstrated the risks by creating a tool that can find, extract, and display everything Recall has stored on a device.

For those unaware, Recall is a feature within what Microsoft is calling its “Copilot+ PCs,” a reference to the AI assistant and companion which the company released in late 2023.

The idea is that Recall can assist users to reconstruct past activity by taking regular screenshots of a user’s activity and storing them, so it can answer important questions like “where did I see those expensive white sneakers?”

However, the scariest part is that Recall does not perform content moderation. It will not hide information such as passwords or financial account numbers and that data may be in snapshots that are stored on your device.

Many security professionals have pointed out that this kind of built-in spyware is a security risk. But Microsoft tried to reassure users, saying:

“Recall data is only stored locally and not accessed by Microsoft or anyone who does not have device access.”

The problem lies in that last part of the statement. Who has device access? Although Microsoft claimed that an attacker would need to gain physical access, unlock the device and sign in before they could access saved screenshots, it turns out that might not be true.

As a warning about how Recall could be abused by criminal hackers, Alex Hagenah, a cybersecurity researcher, has released a demo tool that is capable of automatically extracting and displaying everything Recall records on a laptop.

For reasons any science fiction fan will understand, Hagenah has named that tool TotalRecall.  All the information that Recall saves into its main database on a Windows laptop can be “recalled.“

As Hagenah points out:

“The database is unencrypted. It’s all plain text.”

TotalRecall can automatically find the Recall database on a person’s computer and make a copy of the file, for whatever date range you want. Pulling one day of screenshots from Recall, which stores its information in an SQLite database, took two seconds at most, according to Hagenah. Once TotalRecall has been deployed, it is possible to generate a summary about the data or search for specific terms in the database.

Now imagine an info-stealer that incorporates the capabilities of TotalRecall. This is not a far-fetched scenario because many information stealers are modular. The operators can add or leave out certain modules based on the target and the information they are after. And reportedly, the number of devices infected with data stealing malware has seen a sevenfold increase since 2023.

Another researcher, Kevin Beaumont, says he has built a website where a Recall database can be uploaded and instantly searched. He says he hasn’t released the site yet, to allow Microsoft time to potentially change the system.

According to Beaumont:

“InfoStealer trojans, which automatically steal usernames and passwords, are a major problem for well over a decade—now these can just be easily modified to support Recall.”

It’s true that any information stealer will need administrator rights to access Recall data, but attacks that gain those right have been around for years, and most information stealer malware does this already.

Hagenah also warned that in cases of employers with bring your own devices (BYOD) policies, there’s a risk of someone leaving with huge volumes of company data saved on their laptops.

It is worrying that this type of tools is already available even before the official launch of Recall. The risk of identity theft only increases when we allow our machines to “capture” every move we make and everything we look at.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

While Microsoft's forthcoming Recall feature has already sparked security and privacy concerns, the tech giant attempted to downplay those reactions by stating that collected data would remain on the user's device. Despite this reassurance, concerns remain, as researchers - including the developer of a new tool dubbed "TotalRecall" - have observed various inherent vulnerabilities in the local database maintained by Recall, lending credibility to critics of Microsoft's implementation of the AI tool.

TotalRecall Tool Demonstrates Recall's Inherent Vulnerabilities

Recall is a new Windows AI tool planned for Copilot+ PCs that captures screenshots from user devices every five seconds, then storing the data in a local database. The tool's announcement, however, led many to fear that this process would make sensitive information on devices susceptible to unauthorized access. TotalRecall, a new tool developed by Alex Hagenah and named after the 1990 sci-fi film, highlights the potential compromise of this stored information. Hagenah states that the the local database is unencrypted and stores data in plain text format. The researcher likened Recall to spyware, calling it a "Trojan 2.0." TotalRecall was designed to extract and display all the information stored in the Recall database, pulling out screenshots, text data, and other sensitive information, highlighting the potential for abuse by criminal hackers or domestic abusers who may gain physical access to a device. Hagenah's concerns are echoed by others in the cybersecurity community, who have also compared Recall to spyware or stalkerware. Recall captures screenshots of everything displayed on a user's desktop, including messages from encrypted apps like Signal and WhatsApp, websites visited, and all text shown on the PC. TotalRecall can locate and copy the Recall database, parse its data, and generate summaries of the captured information, with features for date range filtering and term searches. Hagenah stated that by releasing the tool on GitHub, he aims to push Microsoft to fully address these security issues before Recall's launch on June 18.

Microsoft Recall Privacy and Security Concerns

Cybersecurity researcher Kevin Beaumont has also developed a website for searching Recall databases, though he has withheld its release to give Microsoft time to make changes. Microsoft's privacy documentation for Recall mentions the ability to disable screenshot saving, pause Recall on the system, filter out applications, and delete data. Nonetheless, the company acknowledges that Recall does not moderate the captured content, which could include sensitive information like passwords, financial details and more. The risks extend beyond individual users, as employees under "bring your own device" policies could leave with significant amounts of company data saved on their laptops. The UK's data protection regulator has requested more information from Microsoft regarding Recall and its privacy implications. Amid criticism over recent hacks affecting US government data, Microsoft CEO Satya Nadella has emphasized its need to prioritize security. However, the issues surrounding Recall demonstrate that security concerns were not given sufficient attention, and necessitate inspection of its data collection practices before its official release. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.