A security researcher has highlighted a significant privacy issue with the Recall feature in Windows 11, revealing that malicious programs can easily access the Recall database.
Key Points
- Recall Database Vulnerability: Security researcher Kevin Beaumont has identified that the Recall activity data is stored in a SQLite database within the AppData folder, making it vulnerable to malicious access.
- Encryption Limitations: While the Recall database is encrypted with BitLocker, this encryption only protects data when the device is not in use. Once the user logs in, all files and programs are decrypted, leaving the data exposed to any malicious programs running on the system.
Microsoft’s Announcement and the Flaws
Microsoft recently introduced the Recall AI feature for Windows 11 at the Surface event, positioning it as a key component of the upcoming 24H2 version. Designed to run locally on Copilot+ PCs with Snapdragon X series processors, Recall was touted for its local processing and BitLocker encryption.
However, Beaumont points out that this implementation is flawed. The Recall database, being a SQLite file stored in the AppData folder, is not adequately protected. He demonstrated that this database could be accessed in plain text, exposing all recorded activity.
Broader Security Implications
The security concerns are not limited to unauthorized database access. Beaumont highlighted that even another user on the same PC could access the Recall database. The primary risk is from malicious programs that, once executed, can extract and upload sensitive data stored in the Recall database. This includes browser data like passwords, session tokens, and cookies, which Info stealer malware commonly targets.
Industry Response and Comparisons
In response to such threats, companies like Google are developing technologies like Device Bound Session Credentials (DBSC) for Chrome, which tie session tokens to specific devices using TPM (Trusted Platform Module). This kind of proactive measure contrasts sharply with Microsoft’s Recall implementation, which seems to open new vulnerabilities.
Beaumont’s Findings and Microsoft’s Response
Beaumont has already created a tool for automated exfiltration of the Recall database but is withholding its release to allow Microsoft time to address these security flaws. Despite the concerns raised, Recall is not an optional feature and is enabled by default during the Windows 11 setup process. Users only have the option to adjust Recall settings later.
Tech journalist Zac Bowden has reported that Microsoft is discussing the possibility of allowing users to disable Recall during the onboarding process, but no official updates have been provided.
The Bottom Line
The introduction of the Recall feature in Windows 11, despite its intended benefits, raises significant security and privacy concerns. As Microsoft continues to promote Recall, particularly for Copilot+ PCs, it remains to be seen how the company will address the vulnerabilities identified by Beaumont and whether it will offer users more control over this feature.
