(Credit: Microsoft)
UPDATE 6/13: Microsoft is delaying the Recall launch and limiting it to the Windows Insider Program for now. Windows 11 Copilot+ PCs will ship without Recall when they launch June 18.
Original Story:
Microsoft has pushed back on claims that Recall—a feature that remembers everything you do on your PC for faster system-wide searches—poses a privacy risk. But now two security researchers say Recall makes it easy for hackers to steal data from Windows 11 users.
Cybersecurity researcher Alexander Hagenah released a demo tool on Tuesday that shows how a piece of malware can easily loot saved data from a user's Recall function.
"The database is unencrypted. It's all plain text," Hagenah told Wired in underscoring how insecure Recall records information on a PC. "It's a Trojan 2.0 really, built in."
Hagenah released his tool, dubbed TotalRecall, days after another security researcher and former Microsoft employee, Kevin Beaumont, published a blog post documenting alleged flaws in the Recall feature.
Microsoft has yet to widely release Recall to consumers; it's available now in the preview release for Windows 11 version 24H2. This includes offering early access to Recall for Windows PCs running Arm processors, either physically or through a virtual machine.
After trying out the feature, Beaumont discovered that it’s easy for a hacker or malware to access files saved by Recall, despite Microsoft’s claim that it uses encryption. Beaumont found that Recall will save information in an easy-to-discover database within the user’s AppData folder. And surprisingly, the database will record the information in plaintext.
The database will also tightly compress the saved information, meaning several months' worth of recorded user history could be exfiltrated from the PC in seconds. The danger arises if a hacker tricks the user into installing malware that accesses the Recall database and secretly pilfers sensitive information like passwords and financial account numbers.
“I think [Microsoft is] probably going to set fire to the entire Copilot brand due to how poorly this has been implemented and rolled out,” Beaumont said. “It’s an act of self harm at Microsoft in the name of AI, and by proxy real customer harm.”
The findings inspired Hagenah to create TotalRecall. In his own GitHub posting, Hagenah also notes that Recall “stores everything locally in an unencrypted SQLite database, and the screenshots are simply saved in a folder on your PC.”
The findings arrive as many security and privacy experts have called out Recall as a creepy spyware threat. Microsoft didn’t immediately respond to a request for comment, but it has previously said it's still gathering user feedback on Recall to help it develop more controls for the technology and to improve its overall experience. Still, users have spotted Recall running by default for new Windows 11 Copilot+ PCs.