Login
Malware can steal data collected by the Windows Recall tool, experts warn
Cybersecurity researchers demonstrated how malware could potentially steal data collected by the new Windows Recall tool.
The Recall feature of Microsoft Copilot+ is an AI-powered tool designed to help users search for past activities on their PC. The data collected by the tool is stored and processed locally. After its presentation, it raised security and privacy concerns among cybersecurity experts because it scans and saves periodic screenshots of the computer screen, potentially exposing sensitive data, like passwords or financial information.
Microsoft attempted to downplay the risks for the users, the company pointed out that an attacker would need physical access to obtain data collected by the Recall tool.
However, multiple researchers have demonstrated that a malicious code could steal data collected by the Recall feature.
The popular cybersecurity expert Kevin Beaumont explained that an attacker can gain remote access to a device running Recall using a malware.
βWhen youβre logged into a PC and run software, things are decrypted for you. Encryption at rest only helps if somebody comes to your house and physically steals your laptop β that isnβt what criminal hackers do.β reads a post published by Beaumont. βFor example, InfoStealer trojans, which automatically steal usernames and passwords, are a major problem for well over a decade β now these can just be easily modified to support Recall.β
Microsoft told media outlets a hacker cannot exfiltrate Copilot+ Recall activity remotely.
β Kevin Beaumont (@GossiTheDog) May 30, 2024
Reality: how do you think hackers will exfiltrate this plain text database of everything the user has ever viewed on their PC? Very easily, I have it automated.
HT detective pic.twitter.com/Njv2C9myxQ
Re the second paragraph in this BBC News piece about Copilot+ Recall β I donβt know if itβs a BBC error or a Microsoft misstatement, but the line is not true.
β Kevin Beaumont (@GossiTheDog) May 23, 2024
If you gain remote access to a device running Recall (eg a trojan) you can access Recall.https://t.co/ebGjiVyVsI pic.twitter.com/QDMRC0xuud
Microsoft pointed out that information captured by their tool is highly encrypted and nobody can access them, but Beaumont said it is false and published a video of two Microsoft engineers accessing the folder containing the images.
Watch as Microsoft staff gain access to the Recall database files at the 24 second mark here, you'll be shocked by their elite hacking skills. pic.twitter.com/RxBQ8iTixw
β Kevin Beaumont (@GossiTheDog) May 30, 2024
The cybersecurity researcher Alex Hagenah has released a PoC tool, named TotalRecall, that can automatically extract and display the snapshots captured by Recall on a laptop and saved into its database.
βThe database is unencrypted. Itβs all plain text,β Hagenah says.β©β told Wired.
βWindows Recall stores everything locally in an unencrypted SQLite database, and the screenshots are simply saved in a folder on your PC.β Hagenah explained βHereβs where you can find them:
C:\Users\$USER\AppData\Local\CoreAIPlatform.00\UKP\{GUID}
The images are all stored in the following subfolder
.\ImageStore\
The full OCR text with the temporarily visible password is available in the %LocalAppData%CoreAIPlatform.00UKP{<UUID>}ukg.db SQLite database, nicely gift wrapped
β Marc-AndrΓ© Moreau (@awakecoding) June 3, 2024for infostealer malware to exfiltrate: pic.twitter.com/UKRjSPdUNs
While Recall remains as a βpreviewβ feature and, according to MicrosoftβsΒ small print, could change before it launches, Beaumont writes in his research that the company βshould recall Recall and rework it to be the feature it deserves to be, delivered at a later date.β concludes Wired.
Follow me on Twitter:Β @securityaffairsΒ andΒ FacebookΒ andΒ Mastodon
(SecurityAffairsΒ βΒ hacking,Β AI)
