TotalRecall, a new tool developed by cybersecurity researcher Alex Hagenah, has shed light on the potential vulnerabilities inherent in Microsoft’s Recall feature. Scheduled for release on Copilot+ PCs, Recall is an AI tool that captures screenshots from user devices every five seconds, storing the data in a local database. While Microsoft has assured users that the data will remain on their devices, concerns have been raised about the security and privacy implications of this feature.
Hagenah’s TotalRecall tool, named after the sci-fi film “Total Recall,” highlights the issues with the local database used by Recall. According to Hagenah, the data stored in the database is unencrypted and in plain text format, making it susceptible to unauthorized access. He has likened Recall to spyware, dubbing it “Trojan 2.0.” By developing TotalRecall, Hagenah aims to draw attention to the potential risks associated with Microsoft’s implementation of the AI tool.
TotalRecall has the capability to extract and display all the information stored in the Recall database, including screenshots, text data, and other sensitive information. This raises concerns about the possibility of abuse by criminal hackers or domestic abusers who could gain physical access to a user’s device. The cybersecurity community has also compared Recall to spyware or stalkerware, citing its invasive data collection practices.
Recall captures screenshots of everything displayed on a user’s desktop, including messages from encrypted apps like Signal and WhatsApp, websites visited, and all text shown on the PC. TotalRecall can retrieve the Recall database, analyze its data, and generate summaries of the captured information, with features for date range filtering and term searches.
With the planned launch of Recall on June 18, Hagenah hopes that Microsoft will address the security issues highlighted by the TotalRecall tool. Cybersecurity researcher Kevin Beaumont has also created a website for searching Recall databases, although its release has been delayed to allow Microsoft time to make necessary changes.
Microsoft’s privacy documentation for Recall acknowledges the concern over sensitive data being captured, including passwords and financial details. While users have the option to disable screenshot saving, pause Recall, filter out applications, and delete data, the company admits that it does not moderate the captured content. This lack of oversight raises additional privacy and security risks for users.
The implications of Recall extend beyond individual users, as employees operating under “bring your own device” policies could inadvertently expose company data through the tool. The UK’s data protection regulator has requested more information from Microsoft regarding Recall and its potential privacy implications, reflecting the growing concerns over data security.
In light of recent cyberattacks affecting government data, Microsoft CEO Satya Nadella has emphasized the need to prioritize security. However, the issues surrounding Recall demonstrate that security concerns were overlooked during its implementation, underscoring the need for closer scrutiny of Microsoft’s data collection practices. As the launch date approaches, stakeholders are calling on Microsoft to address these vulnerabilities and ensure that user privacy and security are adequately protected.