Microsoft’s CEO, Satya Nadella, recently introduced the Recall feature, touting it as a “photographic memory” for your PC. The feature, which stores the history of your computer desktop and makes it available to AI for analysis, has raised significant cybersecurity concerns.
While Nadella praised the innovation, the cybersecurity community has labelled it as a potential nightmare, describing it as a hacker’s dream come true. Recent discoveries by security researchers have revealed that the feature is even more vulnerable than initially thought.
The Recall Feature: An Overview
The Recall feature, announced last month, aims to take screenshots of a user’s desktop every five seconds, storing this data for AI analysis. This function is intended to enhance productivity by providing a detailed history of the user’s activities.
Cybersecurity experts, however, are concerned about the idea of constantly taking and storing desktop images because they believe it poses a serious security risk.
Initial Security Concerns
From the outset, cybersecurity professionals highlighted the dangers posed by the recall feature. They noted that if a hacker could install malicious software on a machine with Recall enabled, they could gain access to the user’s entire desktop history. The only safeguard appeared to be the requirement for administrator privileges to access Recall’s data.
This requirement was intended to block unauthorized access on most corporate machines and trigger a permission pop-up that users could deny.
New Vulnerabilities Discovered
On Wednesday, James Forshaw, a researcher with Google’s Project Zero vulnerability research team, published findings that effectively dismantled this last line of defence.
Forshaw demonstrated that accessing Recall data without administrator privileges is possible, making the feature significantly more vulnerable.
Forshaw’s Techniques
Forshaw detailed two methods to bypass the administrator privilege requirement:
1. Impersonation Exploit
This method involves exploiting an exception to Windows’ access control lists by impersonating a program called AIXHost.exe, which has the ability to access restricted databases.
2. Access Control Rewrite
Forshaw pointed out that because Recall data is considered to belong to the user, a hacker with the same user privileges could simply rewrite the access control lists on the target machine to grant themselves access to the full database.
Implications of the Findings
The second method, in particular, is concerning due to its simplicity. Alex Hagenah, a cybersecurity strategist and ethical hacker, described this bypass technique as “mindblowing.”
Hagenah had developed a proof-of-concept tool called TotalRecall, which demonstrated how an attacker could siphon off all the user’s history recorded by Recall.
Initially, his tool required a privilege escalation technique to work, but Forshaw’s discovery removed this necessity, making the exploitation process even more straightforward.
Broader Security Concerns
The ability to access Recall data without administrator privileges exacerbates fears that the feature was released without adequate cybersecurity review.
Dave Aitel, founder of the cybersecurity firm Immunity and a former NSA hacker, criticized the feature, stating, “It makes your security very fragile, in the sense that anyone who penetrates your computer for even a second can get your whole history.”
Jake Williams, VP of R&D at Hunter Strategy and another former NSA hacker, echoed these concerns, labelling Recall as a “security dumpster fire.” Williams expressed scepticism that Microsoft’s security teams thoroughly vetted the feature, given its significant vulnerabilities.
Microsoft’s Response and Future Outlook
Currently, Recall is being tested in preview versions ahead of its official launch later this month. Microsoft plans to integrate Recall into compatible Copilot+ PCs with the feature enabled by default. Despite the severe security issues highlighted by researchers, Microsoft has yet to respond to inquiries about Forshaw’s findings.
The revelation that hackers can exploit Microsoft’s Recall feature without needing advanced privilege escalation techniques underscores a critical oversight in its development.
As Microsoft prepares to roll out this feature, the company faces mounting pressure to address these security flaws. The cybersecurity community remains deeply concerned about the implications of Recall, and the need for robust safeguards is more urgent than ever.
The information is taken from Wired and Yahoo News
