Last week, Microsoft made a U-turn on some troubling aspects of Recall.
Last week, Microsoft made a U-turn on some troubling aspects of Recall. However, cybersecurity specialists suggest that the release of this AI-powered feature has exposed a lack of emphasis on security and could hint at larger underlying issues for the tech giant.
Microsoft introduced CoPilot+ PCs for Windows on May 20, spotlighting AI functionalities like Recall. This tool uses a natural language model to capture snapshots of the user’s work every five seconds. While the primary purpose of this feature is to help users locate previously viewed content, security concerns for enterprises and individual consumers were quickly flagged by the cybersecurity community.
In response to the backlash from security researchers and users, Microsoft took steps to address some of these concerns in an update to Recall last week. The company has now disabled the feature by default and restricted access to Recall snapshots to authenticated users only.
Microsoft has indicated that these updates will be in place before Recall previews are made available to customers starting June 18.
“Even before making Recall accessible to customers, we have received a clear message that we need to make it more user-friendly for individuals to opt in to use Recall on their Copilot+ PC while enhancing privacy and security measures,” stated Pavan Davuluri, corporate vice president of Windows+ Devices, in the update.
Prior to the update, one of the major concerns within the industry was Recall being enabled by default. With various services and accounts, enterprises often overlook opting out of default-enabled features. Another significant risk is the vulnerability of Recall-stored data to typical infostealer malware. Cybersecurity experts are apprehensive that Microsoft has inadvertently created a susceptible target for cyber attackers by housing a plethora of relevant, sensitive data in one location.
TechTarget Editorial reached out to Microsoft for comments but did not receive a response at the time of press.
UPDATE: Microsoft recently released another update on Thursday, announcing a delay in the preview release date. The preview will now be accessible through the Windows Insider Program (WIP) before being made available for Copilot+ PCs. Microsoft refers to WIP as comprising “Windows biggest fans.” While a specific date wasn’t provided, Microsoft stated that the preview would be open to WIP members in the upcoming weeks.
“We are tweaking the release strategy for Recall to leverage the expertise of the Windows Insider community in ensuring that the experience meets our high standards for quality and security,” mentioned Davuluri in the update.
Persisting concerns
Despite the recent Recall updates addressing encryption and opt-out issues, the cybersecurity community still perceives more risks than benefits with this new feature. Researchers and analysts have pointed out the tool’s risky keylogging and web tracking capabilities, with some even likening it to spyware. Additionally, cybersecurity experts see limited scenarios where Recall could be genuinely useful, especially for the average enterprise user.
Gabe Knuth, a senior analyst at TechTarget’s Enterprise Strategy Group, observed that Microsoft, akin to other vendors, is striving to introduce features that boost the widespread adoption of AI for PCs. While this was the intention with Recall, he highlighted that Microsoft acted prematurely without careful evaluation.
Knuth emphasized that many analysts criticized Recall as somewhat of “official spyware” due to its ability to take screenshots every few seconds and save detailed analyses of these screenshots. He added that the recent updates fail to address other concerns that enterprises may encounter. The adoption of Recall by end users could lead to the recordation of data that IT departments have been trying to centralize for years, he noted.
The issues do not solely rest with Microsoft, according to Knuth, who believes market demand will unveil the potential drawbacks for users.
“Despite Microsoft’s claims about data being kept local and secure, the default activation of Recall and the exposure of all that data to potential compromise was unacceptable,” Knuth remarked. “This [update] announcement mitigates these aspects. At the onset, Microsoft should have implemented a basic level of protection around Recall. This blunder contrasts with what has so far been a promising start in Microsoft’s AI era.”
Knuth also highlighted the timing of Recall’s release. On May 3, Microsoft’s CEO Satya Nadella penned a blog post following an investigation by the Department of Homeland Security’s Cyber Safety Review Board (CSRB) into Microsoft’s security deficiencies.
Highlighting the CSRB report, Nadella emphasized Microsoft’s commitment to “prioritizing security above all else.”
“When faced with a choice between security and other priorities, the answer is evident: Prioritize security,” Nadella stressed.
Shortly after the publication of the blog post, at the RSA Conference 2024, Microsoft unveiled the expansion of its Secure Future Initiative, initially introduced in November. The company vowed to tackle issues related to software development and vulnerability mitigation. Nonetheless, experts believed that the flawed Recall launch highlighted the ongoing work yet to be done.
Jeff Pollard, vice president and principal analyst at Forrester Research, concurred that while Microsoft’s Recall updates align better with its security and privacy objectives, they remain inadequate. Pollard expressed to TechTarget Editorial that no professional feels comfortable with the notion of an inbuilt keylogging, screenshotting, and web tracking tool in an operating system, even with additional encryption and default deactivation by Microsoft.
“I personally do not know anyone who actively uses it, other than for security research. This feature is puzzling to me as well. I can’t envision a scenario where PC users, be it novices or power users, find the functionality provided by Recall desirable,” Pollard mentioned. “Those less tech-savvy may find it confusing or suspect a security breach, while more advanced users might find it lacking crucial features that would render it valuable.”
Though Recall may not serve much utility for enterprise users, cybersecurity experts concur that it could prove advantageous to malicious entities. Jeremy Nichols, director of the Global Threat Intelligence Center at NTT Security Holdings, informed TechTarget Editorial that Recall could become a focal point for cybercriminals due to its potential to capture screenshots of sensitive activities like banking transactions, healthcare systems, and private messages, posing significant risks.
“This makes high-ranking executives, government personnel, and high-profile targets susceptible to cyber threats, as their activities could be snooped on by attackers leveraging Recall capabilities.”
officials, providers handling customer information, and activists/reporters are considered prime targets,” according to Nichols.
Reviewing Recall versus infostealers
Experts in the field of security, interviewed by TechTarget Editorial, outlined various scenarios where Recall could be exploited for malicious intent, with the most basic threat being the exposure of passwords.
Brian Reed, a cybersecurity advocate at Proofpoint, expressed disappointment, like other cybersecurity professionals, in Microsoft’s lack of consideration for security regarding Recall. The updates provided did not alleviate his concerns. One major worry he has is the potential for misuse and unintended outcomes of a tool that indiscriminately collects data. In the initial announcement, Microsoft cautioned that Recall does not filter content and will not obscure details such as passwords or financial account numbers.
“In essence, it functions as an information thief masked as a productivity enhancement,” Reed stated. “The mere fact that Microsoft believed Recall was an appealing feature epitomizes their disregard for safeguarding personal privacy and their glaring insensitivity towards fortifying their platform ecosystem.”
I’m torn between whether Microsoft’s promotion of Recall is genuinely malicious, shockingly negligent, or a blend of both. Brian ReedCybersecurity advocate, Proofpoint
Reed conversed with a researcher from Proofpoint who discussed how easily Recall facilitates attackers to leverage techniques that blend in with legitimate activity. Ransomware groups and state-sponsored agents increasingly employ commercial tools during attacks to avoid detection. Reed emphasized how straightforward it would be for an attacker to access Recall, view the screenshots, and obtain information about the individual’s professional and personal life. The risk escalates if that person uses a password manager and Recall captures screenshots while passwords are being entered.
“I’m torn between whether Microsoft’s promotion of Recall is genuinely malicious, shockingly negligent, or a blend of both,” Reed remarked.
Another possible risk he foresees involves upcoming updates to Windows 11. For instance, despite Microsoft’s assertion that the data is stored solely locally, subsequent iterations could upload screenshots to Azure for training large language models. Reed added that Microsoft could easily reactivate Recall by default in future operating system updates.
He emphasized that deactivating Recall by default does not eliminate the significant potential for misuse of Recall screenshots.
“The reality remains that it required immense pressure from the entire security sector for the Microsoft productivity unit to acknowledge this as a potentially significant security [and] privacy threat and to ‘do the right thing,'” Reed remarked. “Microsoft’s response to the Recall criticism reveals more about their perception of such a feature being in the users’ best interest.”
Dan Schiappa, the chief product and services officer at Arctic Wolf and a former Microsoft employee, mentioned the absence of security professionals within the organization. Speaking to TechTarget Editorial, he remarked that while Microsoft has made progress in enhancing security, Recall represents a significant oversight that many individuals at the company failed to fully think through.
“They lack security experts. They have personnel employed at the organization, some undertaking security tasks for a brief period, before moving to another role within the firm,” Schiappa explained.
Although he welcomed Microsoft’s decision to disable Recall by default and commended the additional encryption protections, Schiappa’s concerns persist, as the feature remains a ready-made target containing sensitive data.
Schiappa expressed hopes that Microsoft has dedicated substantial resources to safeguarding Recall’s security configurations. Conversely, he acknowledged the adaptability and persistence of well-funded adversaries, noting that over time, there is nothing they cannot accomplish.
“I see it as one of the most severe intrusions into privacy in the annals of computer science,” Schiappa critiqued Recall, “so it is truly astonishing that Microsoft did not thoroughly think this through.”
This article was updated on 6/14/2024.
Arielle Waldman works as a news correspondent for TechTarget Editorial, specializing in enterprise security.
Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.
