It’s one of the flagship features promised for the AI computers announced by Microsoft in late May. Copilot+ computers.
Called Recall, it allows you to “remember” – in the form of a timeline of thumbnails and screenshots – what the user has seen and done on the computer (documents, images, videos and websites) to make it easier to find its content.
On the occasion of its presentation Microsoft explain : “Copilot+ computers will organize information according to the experiences and associations specific to each of us, like a photographic memory. Recall reminds you of items you’ve forgotten’ and uses a ‘semantic index’ specific to each user. Functionality may be paused, configured, or disabled for specific applications or sites.
Potentially attractive on paper, Recall looks much less so today and in its current form according to initial investigations.
Researcher Kevin Beaumont looked into it, relevant that the functionality relies on screenshots where nothing is hidden – not even passwords that would be entered in a perfectly readable manner.
These screenshots themselves are not encrypted beyond full disk encryption (FDE, Full disk encryption), which protects data until the computer boots/unlocks. In other words, if a malicious player can physically gain access and log into the computer, they can access the Recall screenshots. And at that point, it would also be possible for a user on the computer in question to gain access to another user’s recall data, or at least to the associated database.
Because screenshots are processed by optical character recognition (OCR). So the extracted texts are stored in a SQLite database.
Another researcher has since developed a Python script to retrieve the data associated with the Recall function. He is available on GitHub.
One of the main concerns is that in its current form Recall could be a great opportunity for information thieves these malware password thieves wreak havoc for many months.
Mandiant recently indicated that for approx 40% of cyber attacks that his teams tapped into in 2023 and for which the initial access vector was identified, legitimate identifiers were compromised, specifically by information thieves.
But that’s not all. Since the call function is currently implemented, data integrity did not appear also not guaranteed: the content of the SQLite database can be changed, as well as the screenshots. Enough to open the way to the risk for users to be trapped by the fabrication of false proofs of activity. God’s gift to blackmailers.