Windows Recall takes a screenshot every five seconds. Cybersecurity researchers say the system is simple to abuse—and one ethical hacker has already built a tool to show how easy it really is.

When Microsoft CEO Satya Nadella revealed the new Windows AI tool that can answer questions about your web browsing and laptop use, he said one of the “magical” things about it was that the data doesn’t leave your laptop; the Windows Recall system takes screenshots of your activity every five seconds and saves them on the device. But security experts say that data may not stay there for long.

Two weeks ahead of Recall’s launch on new Copilot+ PCs on June 18, security researchers have demonstrated how preview versions of the tool store the screenshots in an unencrypted database. The researchers say the data could easily be hoovered up by an attacker. And now, in a warning about how Recall could be abused by criminal hackers, Alex Hagenah, a cybersecurity strategist and ethical hacker, has released a demo tool that can automatically extract and display everything Recall records on a laptop.

Dubbed TotalRecall—yes, after the 1990 sci-fi film—the tool can pull all the information that Recall saves into its main database on a Windows laptop. “The database is unencrypted. It’s all plain text,” Hagenah says.⁩ Since Microsoft revealed Recall in mid-May, security researchers have repeatedly compared it to spyware or stalkerware that can track everything you do on your device. “It’s a Trojan 2.0 really, built in,” Hagenah says, adding that he built TotalRecall—which he’s releasing on GitHub—in order to show what is possible and to encourage Microsoft to make changes before Recall fully launches.

  • Ace! _SL/SEnglish
    1091·
    21 days ago

    They store it unencrypted in 2024? This should be illegal. Now every fucking Program you run can basically know everything you ever did since every shit is spyware nowadays to get that sweet data collection going

    • MrOxiMoron@lemmy.worldEnglish
      48·
      21 days ago

      Even if they encrypt it, the computer needs access to the data thus needs the decryption key. So it’s not very secure anyway.

      • 9point6@lemmy.worldEnglish
        21·
        21 days ago

        I guess the solution would involve keys on the TPM so that they shouldn’t need to be sat on attached storage or in memory. Although I’m not sure I’d trust all TPM implementations to have the performance necessary for the extra load (I believe bitlocker keys get cached in memory once you have unlocked the drive, for example)

      • Ace! _SL/SEnglish
        61·
        21 days ago

        Well yeah, but they should atleast store the key outside of userspace

    • lemmyvore@feddit.nlEnglish
      41·
      21 days ago

      Even if it were encrypted, if access to it doesn’t involve explicit confirmation and a password then it can be automated.

      And if it can be automated then malware that gets on the machine will be able to access it whether it’s encrypted or not.

      But let’s be real, the whole reason Microsoft is doing this is so they can parse your data for AI. And storing it unencrypted makes it easier for them.

      Also “the data won’t leave your machine” is a red herring. Yeah the data won’t; but the results of AI processing will. They’ll take what they need and transfer that out, and leave you holding the bag.