Last month, Microsoft unveiled its latest AI-powered feature, Recall, integrated into its Windows as part of the Copilot+ suite.
Recall, aimed at enhancing user productivity, was immediately compared to fictional dystopian tech products seen in “Black Mirror.”
This comparison turned out to be alarmingly accurate, as cybersecurity experts have now revealed that Recall is filled with security vulnerabilities, making it a potential nightmare for users’ privacy and data security.
What is Microsoft’s Copilot+ Recall?
Recall is an AI feature that takes continuous screenshots of a user’s activity on their Windows PC, creating a searchable database of everything the user has done on their computer.
This includes browsing history, application usage, and even specific content viewed on web pages. It’s like a browser’s history feature but on a much more invasive scale, capturing every action performed on the device.
Ex-Microsoft Security Expert‘s Claims
Kevin Beaumont, a former Senior Threat Intelligence Analyst at Microsoft, conducted a hands-on review of Recall, uncovering numerous critical security flaws. His findings confirm the worst fears of critics, branding Recall as a “disaster.”
Recall captures almost everything a user does on their computer. This includes full-text passwords, financial details, and other sensitive data.
Microsoft told media outlets a hacker cannot exfiltrate Copilot+ Recall activity remotely.
Reality: how do you think hackers will exfiltrate this plain text database of everything the user has ever viewed on their PC? Very easily, I have it automated.
HT detective pic.twitter.com/Njv2C9myxQ
— Kevin Beaumont (@GossiTheDog) May 30, 2024
It does not captures private sessions in Microsoft Edge but interestingly private browsing sessions in Google Chrome are being recorded by this feature.
Recall saves emails and messages from apps like WhatsApp, even after they are deleted. It also captures auto-deleting content from apps like Signal, retaining them in its database.
Data in Recall is organized by application, making it easy for hackers to locate and exploit sensitive information.
Misleading Security Claims from Microsoft
Beaumont discovered that Microsoft’s claims about Recall’s security are misleading.
While Microsoft states that Recall’s data is encrypted, this encryption is only effective as long as the user is not logged into their computer.
Once logged in, the data is decrypted, making it accessible to anyone with remote access to the device.
Beaumont highlighted that an attacker doesn’t even need administrative privileges to read the database, further exacerbating the security risks.
Besides, cybersecurity experts voiced concerns from the moment Recall was announced.
The most troubling aspects were confirmed by Microsoft: Recall is enabled by default, and it does not exclude sensitive information such as passwords from being recorded.
The UK’s Information Commissioner’s Office (ICO) swiftly announced an investigation into Recall’s security implications, reflecting the serious nature of the concerns raised.
As investigations continue, it remains to be seen how Microsoft will address these critical issues to protect its users from potential data breaches and privacy violations.