{"id":24639,"date":"2024-06-06T04:10:25","date_gmt":"2024-06-06T12:10:25","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2024\/06\/06\/news-18369\/"},"modified":"2024-06-06T04:10:25","modified_gmt":"2024-06-06T12:10:25","slug":"news-18369","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2024\/06\/06\/news-18369\/","title":{"rendered":"Microsoft Recall snapshots can be easily grabbed with TotalRecall tool"},"content":{"rendered":"\n<p>Microsoft&#8217;s <a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2024\/05\/microsoft-ai-recall-feature-records-everything-secures-far-less\">Recall<\/a> feature has been criticized heavily by pretty much everyone since it was announced last month. Now, researchers have demonstrated the risks by creating a tool that can find, extract, and display everything Recall has stored on a device.<\/p>\n<p>For those unaware, Recall is a feature within what Microsoft is calling its \u201cCopilot+ PCs,\u201d a reference to the AI assistant and companion which the company released in late 2023.<\/p>\n<p>The idea is that Recall can assist users to reconstruct past activity by taking regular screenshots of a user\u2019s activity and storing them, so it can answer important questions like \u201cwhere did I see those expensive white sneakers?\u201d<\/p>\n<p>However, the scariest part is that Recall does not perform content moderation. It will not hide information such as passwords or financial account numbers and that data may be in snapshots that are stored on your device.<\/p>\n<p>Many security professionals have <a href=\"https:\/\/x.com\/GossiTheDog\/status\/1797669243720478734\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">pointed out<\/a> that this kind of built-in spyware is a security risk. But Microsoft tried to reassure users, saying:<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u201cRecall data is only stored locally and not accessed by Microsoft or anyone who does not have device access.&#8221;<\/p>\n<\/blockquote>\n<p>The problem lies in that last part of the statement. Who has device access? Although Microsoft claimed that an attacker would need to gain physical access, unlock the device and sign in before they could access saved screenshots, it turns out that might not be true.<\/p>\n<p>As a warning about how Recall could be abused by criminal hackers, Alex Hagenah, a cybersecurity researcher, has released a demo tool that is capable of automatically extracting and displaying everything Recall records on a laptop.<\/p>\n<p>For reasons any science fiction fan will understand, Hagenah has named that tool TotalRecall. \u00a0All the information that Recall saves into its main database on a Windows laptop can be \u201crecalled.\u201c<\/p>\n<p>As Hagenah points out:<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u201cThe database is unencrypted. It\u2019s all plain text.\u201d<\/p>\n<\/blockquote>\n<p>TotalRecall can automatically find the Recall database on a person&#8217;s computer and make a copy of the file, for whatever date range you want. Pulling one day of screenshots from Recall, which stores its information in an SQLite database, took two seconds at most, according to Hagenah. Once TotalRecall has been deployed, it is possible to generate a summary about the data or search for specific terms in the database.<\/p>\n<p>Now imagine an info-stealer that incorporates the capabilities of TotalRecall. This is not a far-fetched scenario because many information stealers are modular. The operators can add or leave out certain modules based on the target and the information they are after. And <a href=\"https:\/\/www.infosecurity-magazine.com\/news\/sevenfold-increase-data-theft-cases\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">reportedly<\/a>, the number of devices infected with data stealing malware has seen a sevenfold increase since 2023. <\/p>\n<p>Another researcher, Kevin Beaumont, says he has built a website where a Recall database can be uploaded and instantly searched. He says he hasn\u2019t released the site yet, to allow Microsoft time to potentially change the system.<\/p>\n<p>According to Beaumont:<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u201cInfoStealer trojans, which automatically steal usernames and passwords, are a major problem for well over a decade\u2014now these can just be easily modified to support Recall.\u201d<\/p>\n<\/blockquote>\n<p>It\u2019s true that any information stealer will need administrator rights to access Recall data, but attacks that gain those right have been around for years, and most information stealer malware does this already.<\/p>\n<p>Hagenah also warned that in cases of employers with <a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2017\/10\/byod-why-dont-you\">bring your own devices (BYOD)<\/a> policies, there\u2019s a risk of someone leaving with huge volumes of company data saved on their laptops.<\/p>\n<p>It is worrying that this type of tools is already available even before the official launch of Recall. The risk of identity theft only increases when we allow our machines to &#8220;capture&#8221; every move we make and everything we look at.<\/p>\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-wide\" \/>\n<p><strong>We don&#8217;t just report on threats &#8211; we help safeguard your entire digital identit<\/strong>y<\/p>\n<p>Cybersecurity risks should never spread beyond a headline. Protect your\u2014and your family&#8217;s\u2014personal information by using <a href=\"https:\/\/www.malwarebytes.com\/identity-theft-protection\">identity protection<\/a>.<\/p>\n<p><a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2024\/06\/microsoft-recall-snapshots-can-be-easily-grabbed-with-totalrecall-tool\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p> A worried researcher has created a tool to demonstrate exactly how much of a security backdoor Microsoft is creating with Recall. <\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[31512,19076,32,5897,14241,31513],"class_list":["post-24639","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-data-stealers","tag-information-stealers","tag-news","tag-privacy","tag-recall","tag-totalrecall"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/24639","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=24639"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/24639\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=24639"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=24639"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=24639"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}