Hagenah says an attacker could obtain a huge amount of information about their target, including insight into their emails, personal conversations and any sensitive information captured by Recall.
Hagenah’s work builds on the findings of cybersecurity researcher Kevin Beaumont, who did just that details on how much information Recall captures and how easily it can be extracted. Beaumont also says it has created a website where you can upload the Recall database and search it instantly. He says he hasn’t made the site live yet to give Microsoft time to potentially change the system. “InfoStealer Trojans that automatically steal usernames and passwords have been a serious problem for over a decade – now they can simply be easily modified to support Recall,” writes Beaumont.
The criticism comes as hacks into Microsoft systems have led to various US government data breaches; Nadella said there should be security Microsoft’s “top priority.”” As of press time, Microsoft had not responded to WIRED’s request for comment on the Recall security feature.
Let’s recall the privacy pages say that you can disable saving screenshots (effectively disabling the Recall feature), temporarily suspend the system, filter which apps take screenshots, and delete what has been collected at any time. Recall works on the laptop itself, storing captured data on the device and not sending this information to Microsoft servers. Hagenah says this claim appears to be true and there is no indication that data was sent to Microsoft.
Microsoft is at least aware of some of the possible privacy and security issues with Recall: its help pages state that the system does not moderate the content contained in the images it saves. This means, as Microsoft says in the guide, that it will not “hide information such as passwords or financial account numbers.” Security researchers have already done this extract passwords from Recall.
The main Recall database is stored in the laptop’s system directory, and while access to it requires administrator privileges, privilege escalation attacks have been around for years, theoretically allowing an attacker to gain initial remote access to the device.
Hagenah says employers with a “bring your own device” policy run the risk of someone leaving with huge amounts of company data stored on their laptops. This poses a particular risk if they are dissatisfied or leave on indigent terms, he says. The UK data protection regulator, the Information Commissioner’s Office, Microsoft asked to provide more details about Recall and its privacy.
Although Recall remains a “preview” feature and according to Microsoft small print, may change before launch, Beaumont writes in its research that the company “should recall Recall and rework it to be the feature it deserves and delivered at a later date.” He adds: “They must also review the internal decision-making process that led to this situation, because things like this should not be happening.”
