Expert warns Windows 11 recall is a serious security risk

Cybersecurity expert Kevin Beaumont says Windows 11’s new Recall tool is a real “security disaster.” The former Microsoft employee tried out the new feature last week and Serious breaches have been detected that could compromise the integrity of user data.

Beaumont overturned Recall’s behavior and discovered that all user activity is recorded in clear text, in a SQLite database, without any encryption. “This database file records everything you see on your computer in clear text,” he told X, his former Twitter name.

“Within a few seconds, screenshots of your screen are taken. These files are automatically analyzed by Azure AI optical character recognition (OCR), all on your computer, and saved to a SQLite database within the user’s folder,” explained Beaumont.

Microsoft told media outlets that a hacker cannot remotely spoof Copilot+ Recall activity.

Fact: How do you think hackers can infiltrate this plain-text database of everything the user has viewed on their computer? I automated it very easily.

HT detective pic.twitter.com/Njv2C9myxQ

— Kevin Beaumont (@GossiTheDog) May 30, 2024

In the post, Beaumont showed that the files were saved locally to internal storage. They are traditionally located in the AppData folder, which is accessible only by the administrator. But, The expert claims that it is not necessary to have an account with administrative privileges to access the document.

This puts the integrity of user data at risk, making it easier for attackers and malware (e.g. Trojans) to try to steal information. It is worth remembering that screenshots do not include any content moderation, so they record credentials (usernames and passwords) and sensitive data without any discretion or protection.

“The recall allows malicious actors to automate data collection on everything you saw in the last few seconds,” Beaumont said.

high risks

HE A recall is basically an extremely deep history of your computer activity. The innovation was touted as a special benefit of Copilot Plus PCs, machines that can run artificial intelligence (AI) natively.

Right now, Windows already optionally records user activity via the “Activity History” function. The function records schedules, searches and other details to optimize subsequent queries; thus speeding up duplicate searches, ongoing unfinished projects, and more.

However, Recall takes a step further in this regard: the tool takes screenshots of the screen every few seconds and uses artificial intelligence to interpret recorded content. If the user wishes, he can revisit any moment of his activity on the computer.

However, the innovation was met with criticism. A recall has no protection against sensitive data being intercepted. The risk attached to the source has even attracted the attention of data protection authorities in the UK.

Right now, Recall available to testers only. The tool continues to be developed and, following criticism, may undergo a review before final release.