Microsoft confronts new Windows Recall security issues

Microsoft’s launch attempt of Recall, an AI tool for Windows that screens a majority of your PC activities, was called a “cybersecurity disaster” and a “privacy nightmare.”

After public outcry and a year-long pause for redesigning and securing Recall, the product is once again encountering security and privacy issues.

Security specialist Alexander Hagenah has developed TotalRecall Reloaded, a utility that retrieves and displays information from Recall. 

This is an upgrade to the initial TotalRecall tool that exposed vulnerabilities in the original Recall version before its redesign by Microsoft.

The redesign by Microsoft aimed to establish a secure repository for Recall data, demanding Windows Hello authentication and securing the platform using a Virtualisation-based Security Enclave. 

Recall needs users to validate their identity through facial recognition or fingerprint access to unlock data and capture screenshots. 

“This minimises risks of hidden malware attempting to exploit user authentication to pilfer data,” mentioned Microsoft in a September 2024 blog release.

“Our study confirms that the vault is present, yet the security boundary ceases too soon,” says Hagenah. “TotalRecall Reloaded allows that hidden malware to hitch a ride.” 

Functioning silently in the system’s background, the TotalRecall Reloaded tool can activate the Recall timeline, inducing an authentication prompt via Windows Hello for the user. 

Following authentication, TotalRecall Reloaded can extract everything ever recorded by Windows Recall. 

“This is exactly the type of scenario Microsoft’s system architecture ought to prevent,” says Hagenah.

Recall archives more than just visual captures; it retains histories of text displayed, verbal messages, email exchanges, documents, browsing patterns, and more. 

The security adjustments Microsoft made to Recall were introduced a few months after CEO Satya Nadella advised employees, urging them to prioritise security whenever faced with conflicting priorities.

Hagenah responsibly shared his latest insights with Microsoft last month, but the company dismissed the report, citing no vulnerability. 

“We acknowledge the work of Alexander Hagenah in pointing out and responsibly disclosing these issues. After extensive examination, we concluded that the access methods shown align with the intended protection measures and existing controls, not constituting a bypass of security measures or unauthorized data access,” stated David Weston, Microsoft's corporate vice president for Security, in a note to The Verge. 

“The authorisation lifespan is finite, with anti-hammering safeguards curbing the repercussions of malicious inquiries.”

TotalRecall Reloaded can also fetch the most recent cached Windows Recall screenshot without needing Windows Hello verification, or entirely remove the capture history. 

Yet, the kind of malware Hagenah describes could operate in the backdrop of a PC to take snapshots regardless of Windows Recall.