Caution raised by experts about the potential data theft by malware through the Windows Recall tool
June 05, 2024
Researchers in cybersecurity have shown how malicious software could potentially seize information collected by the new Windows Recall utility.
The Recall component of Microsoft Copilot+ is an artificial intelligence-powered utility designed to aid users in searching for past activities on their personal computer. The data compiled by the utility is stored and processed locally. Upon its introduction, it sparked concerns about security and privacy among cybersecurity professionals due to its scanning and saving of periodic screenshots of the computer screen, potentially exposing sensitive data such as passwords or financial information.
Microsoft sought to minimize the risks for users, mentioning that a perpetrator would require physical access to acquire data obtained by the Recall utility.
Nevertheless, several researchers have proven that a malevolent code could pilfer information collected by the Recall feature.
The renowned expert in cybersecurity Kevin Beaumont explained that an attacker can achieve remote access to a device running Recall using malware.
“When one is logged into a personal computer and executes software, things are decoded for them. Encryption at rest is only effective if someone physically steals your laptop — which is not a typical tactic used by criminal hackers,” reads a post published by Beaumont. “For instance, InfoStealer Trojans, designed to automatically seize usernames and passwords, have been a significant issue for well over a decade — now they can be effortlessly adjusted to support Recall.”
Microsoft mentioned that the information captured by their tool is highly encrypted and inaccessible by anyone, however, Beaumont argued this claim is false and shared a video of two Microsoft engineers accessing the folder containing the images.
The cybersecurity researcher Alex Hagenah has launched a Proof of Concept tool, named TotalRecall, that can automatically extract and display the snapshots taken by Recall on a laptop and stored in its database.
“The database is not encrypted. It’s all plain text,” mentioned Hagenah.” stated Wired.
“Windows Recall stores everything locally in an unencrypted SQLite database, and the screenshots are simply saved in a folder on your PC.” Hagenah elaborated “Here’s where you can locate them:
C:Users$USERAppDataLocalCoreAIPlatform.00UKP{GUID}
The images are all stored in the following subfolder
.ImageStore
The IT researcher Marc-André Moreau explained that information-stealing malware can effortlessly seize momentarily visible passwords from Remote Desktop Manager, which are captured by the Recall tool, from a local SQLite database.
While Recall remains a “preview” feature and, according to Microsoft’s disclaimers, could undergo changes before its official launch, Beaumont argues in his study that the company “should halt Recall and redesign it to ensure it becomes the feature it should be, to be unveiled at a later date.” concludes Wired.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, AI)
About Author
