According to a cybersecurity researcher, Microsoft’s brand new AI function, Recall, is completely insecure and would give hackers unprecedented access to absolutely everything you do on your PC.
Unveiled during the announcement with great fanfare of the new generation of PC Copilot+, the Recall function of Windows 11 (see our article) promises to be hell for user confidentiality and security. This new tool, which presents itself as a super history capable of finding any action you have performed or any content you have viewed on your computer, would not be absolutely secure at the moment and would constitute an unexpected opportunity for pirates. Before its arrival on June 18 with the first Copilot+ PCs, the Recall function was examined by an independent cybersecurity researcher and its initial findings are worrying to say the least.
Windows 11 Recall: a wide open door for hackers
The title of the article immediately gives the color: “Stealing everything you’ve ever typed or viewed on your own Windows PC is now possible with two lines of code – in the Copilot+ Recall disaster”. In a paper on his blog DoublePulsar, Kevin Beaumont, a French cybersecurity researcher, gives his thoughts on the security implications of Windows 11’s new Recall feature, and suffice to say they are pessimistic. The author was able to get his hands on Recall and run the program before its official release, in order to examine how it works and test its limits. Its conclusion is clear: Recall is not secure and user data can be stolen.
The new star feature of Windows 11 aims to act as a super personal assistant, capable of remembering everything that is done on the computer, so that the user can find it easily, by formulating questions in natural language . We can see it as a sort of fusion between ChatGPT and a super Internet browsing history, but which would apply on the scale of the entire PC. To work, Recall takes screenshots of PC activity every few seconds, analyzes them using optical character recognition (OCR for Optical Character Recognition) then saves the information in a local database in SQLite format.
All actions carried out, from minimizing a window to installing software, and all content consulted, such as social networks, bank accounts or even a pornographic video, are therefore indexed and saved in a file in plain text. According to Microsoft’s statements, Recall would work exclusively locally, directly on the user’s device therefore without sending any information online, and the activity history would obviously be encrypted, which would guarantee the confidentiality and security of all this ultra-sensitive data. However, things are not that simple and the protections currently in place would not prevent malicious actors from accessing the data.
First of all, the exclusively local operation of Recall does not prevent an attacker from accessing the data produced if he was able to obtain remote access to the device. Then, the encryption of the database generated by Recall only protects against reading of the information by a person who has physically stolen the device, the data being decrypted when connecting to the Windows session. Finally, the Recall database files would simply be stored in the AppData directory of Windows 11 and very easily accessible by a user account with administrator rights, as proven by a video shared by the author and showing two engineers from Microsoft accessing the folder in question in a few seconds.
Contrary to Microsoft’s assertions, the information collected and indexed by Recall would therefore be perfectly accessible to a sufficiently qualified attacker. And to make matters worse, the nature and form of the data generated would even facilitate their exploitation by malicious actors. On the one hand, Recall’s “photographic memory” does not forget anything: even if an email, a message on WhatsApp or a conversation on Teams is deleted, the corresponding information remains stored in the database. data. On the other hand, all actions and stored contents are recorded in the form of a structured data file, which makes their analysis and exploitation very easy and quick, much more so than with scattered data collected manually. help of a classic type malware infostealer Or keylogger.
Recall could therefore act as a gigantic facilitator of data theft for hackers, and open the way to computer attacks on an unprecedented scale. Especially since this function will be activated by default on the new Copilot+ computers which are arriving on the market very soon, and you will therefore have to deactivate it manually in the Windows 11 settings if you want to protect yourself from it, this which probably few users will be aware of.
Without making a value judgment on the usefulness of the Recall function, a task which will fall to each user according to their desires and needs, it is however advisable to call for caution. Whether you are resistant, indifferent or frankly enthusiastic about the new Recall function of Windows 11, it seems more reasonable to deactivate it when it is released, in order to give the various cybersecurity players time to study the program to find out about it. the flaws, and for Microsoft to consolidate the security and robustness of its tool.