Microsoft sees it as a super service, security experts as a disaster: Microsoft's Copilot+ Recall for Windows 11 records the user's activities on the PC every 5 seconds, analyzes the images, extracts the texts and writes everything into a database. In the test, experts read them completely in plain text - probably including passwords.
Microsoft CEO Satya Nadella's announcement of Microsoft's Copilot+ Recall for Windows 11 sounds cool at first: "Use Recall Search to track your steps over time to find the content you need. Then go back to it. With Recall, you have an explorable timeline of your PC's past." Technically, this means that the system records the screen every 5 seconds, evaluates it, reads the data using OCR, and writes everything into a database that should only exist on the user's PC and their account.
Copilot+ Recall records everything – including entries and passwords
Snapshots are taken every five seconds when the content on the screen is different from the previous snapshot. The data collected is then stored in the database and processed by the AI. According to Nadella, "Recall's analytics allow you to search for content, including images and text, using natural language. Trying to remember the name of the Korean restaurant your friend Alice mentioned? Just ask Recall and it will retrieve both text and visual matches for your search, automatically sorted by how well the results match your search."
Various security researchers have tested Copilot+ Recall and warn against it as their results sound quite frightening. According to that Security researcher Kevin Beaumont's article on the Doublepulsar portal Recall is the worst case scenario in terms of security. His conclusion is "Copilot+ Recall: With just two lines of code, it is now possible to steal everything you have ever typed or viewed on your Windows PC." In a question and answer dialog, he clarifies important questions about Copilot+ Recall. Here are four important statements from Kevin Beaumont some of which, if true, are frightening:
Advertising
Subscribe to our newsletter now
Read the best news from B2B CYBER SECURITY once a month
Expand for details on your consent
It goes without saying that we handle your personal data responsibly. If we collect personal data from you, we process it in compliance with the applicable data protection regulations. Detailed information can be found in our
Privacy Policy. You can unsubscribe from the newsletter at any time. You will find a corresponding link in the newsletter. After you have unsubscribed, your data will be deleted as soon as possible. Recovery is not possible. If you would like to receive the newsletter again, simply order it again. Do the same if you want to use a different email address for your newsletter. If you would like to receive the newsletter offered on the website, we need an e-mail address from you as well as information that allows us to verify that you are the owner of the e-mail address provided and that you agree to receive the newsletter. Further data is not collected or only collected on a voluntary basis. We use newsletter service providers, which are described below, to process the newsletter.
CleverReach
This website uses CleverReach to send newsletters. The provider is CleverReach GmbH & Co. KG, Schafjückenweg 2, 26180 Rastede, Germany (hereinafter “CleverReach”). CleverReach is a service that can be used to organize and analyze the sending of newsletters. The data you enter for the purpose of subscribing to the newsletter (e.g. email address) will be stored on the CleverReach servers in Germany or Ireland. Our newsletters sent with CleverReach enable us to analyze the behavior of the newsletter recipients. This can include It is analyzed how many recipients have opened the newsletter message and how often which link in the newsletter was clicked. With the help of so-called conversion tracking, it can also be analyzed whether a previously defined action (e.g. purchase of a product on this website) took place after clicking on the link in the newsletter. Further information on data analysis by CleverReach newsletter is available at:
https://www.cleverreach.com/de/funktionen/reporting-und-tracking/. The data processing takes place on the basis of your consent (Art. 6 Para. 1 lit. a DSGVO). You can revoke this consent at any time by unsubscribing from the newsletter. The legality of the data processing operations that have already taken place remains unaffected by the revocation. If you do not want an analysis by CleverReach, you must unsubscribe from the newsletter. For this purpose, we provide a corresponding link in every newsletter message. The data you have stored with us for the purpose of subscribing to the newsletter will be stored by us or the newsletter service provider until you unsubscribe from the newsletter and deleted from the newsletter distribution list after you have canceled the newsletter. Data stored by us for other purposes remain unaffected. After you have been removed from the newsletter distribution list, your e-mail address may be stored by us or the newsletter service provider in a blacklist if this is necessary to prevent future mailings. The data from the blacklist is only used for this purpose and is not merged with other data. This serves both your interest and our interest in complying with the legal requirements when sending newsletters (legitimate interest within the meaning of Art. 6 Para. 1 lit. f GDPR). Storage in the blacklist is not limited in time.
You may object to the storage if your interests outweigh our legitimate interest.
For more information, see the privacy policy of CleverReach at:
https://www.cleverreach.com/de/datenschutz/.
Data processing
We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract mandated by data privacy laws that guarantees that they process personal data of our website visitors only based on our instructions and in compliance with the GDPR.
- "Ask: The data is processed entirely locally on your laptop, right?
Answer: Yes! You've made some smart decisions here. There is a whole subsystem of Azure AI code etc. that is processed at the edge.
- F: Cool, so hackers and malware can't access it, right?
A: Yes, they can.
- F: But it is encrypted
A: When you are logged into a PC and running software, the data is decrypted for you. Encryption at rest only helps if someone comes to your house and physically steals your laptop - that's not what criminal hackers do.
For example, InfoStealer Trojans, which automatically steal usernames and passwords, have been a major problem for more than a decade - now they can be easily modified to support recall.
- F: But the BBC said hackers could not access the data remotely.
A: You quoted Microsoft, but that's wrong. The data can be accessed remotely."
Totalrecall tool can read all data
A security researcher named Alexander Hagenah has now published a small tool on GitHub: TotalrecallThe tool is supposed to be able to read and even search all the data recorded by Recall. A screenshot on Github is supposed to prove that this is possible. The creator Hagena describes his tool as follows: "TotalRecall copies the databases and screenshots and then analyzes the database for potentially interesting artifacts. You can define dates to limit the extraction and search for strings of interest (extracted via Recall OCR). There is no rocket science behind it. It is a very simple SQLite analysis."
According to researcher Kevin Beaumont, Recall should even be activated automatically on Windows Enterprise versions. If that's really the case, then CISOs or other security managers can't like it.
Editor/sel
More about Totalrecall on GitHub.com
Matching articles on the topic
