Microsoft Recall: a game changer with high risks
In June, Microsoft delayed the introduction of its controversial Recall feature after a series of serious security issues. The AI-powered tool, designed to record all user activity over the past six months, was positioned as a solution that allows users to track their activities and efficiently find previously visited websites, documents and applications. Microsoft developed Recall to allow users to ‘track their steps’ by taking screen recordings every five seconds. The tool stores these images, catalogs the viewed content using AI, and then serves them back to the user through a search functionality.
For cyber investigators, Recall could be a transformative force in gathering and analyzing evidence, improving both the investigative process and its outcomes. However, there is a lot of noise surrounding cybersecurity issues – and for good reason. The tool’s ability to capture and duplicate data means that sensitive information can be exposed and misused by threat actors.
Global Head of Cyber Security Services, S-RM.
Forensics is being transformed, although gaps remain
Security concerns aside, Recall has the potential to revolutionize forensics in the event of cyber incidents. First, the searchable format can dramatically speed up investigations by eliminating the arduous and time-consuming task of processing large amounts of evidence.
When digital evidence is lost – be it through clearing browser history or deleting files – Recall’s screen capture capability would step in to ensure it remains accessible. Equipped with Recall, investigators would also be able to visually verify their results, creating greater confidence in the veracity of forensic findings.
Despite its advantages, Recall has critical blind spots. Most importantly, the lack of an audit log makes access to Recall data by threat actors and users untraceable. Threat actors can also evade detection by using applications such as Edge’s InPrivate mode, which Recall cannot track, and by performing activities hidden from the screen or user settings. Looking at Recall as a whole, the benefits speak for themselves, but there is no suggestion that it is the complete solution for researchers looking to stop threat actors.
Unintentionally giving threat actors the upper hand
Remember, there are inherent risks in exposing sensitive information that threat actors could exploit, which was ultimately the driving force behind Microsoft’s decision to delay its rollout.
Following the news of the release of Microsoft Recall, security researchers developed and released a tool called TotalRecall, which can locate, duplicate and translate the data collected by the Recall feature into a plain text database, which is instantly searchable. Since attackers routinely abuse existing tools and systems to achieve their objectives, it is likely that they would add TotalRecall to their arsenal and leverage its insights wherever possible.
Finally, Recall would likely increase the risk of extortion. With access to snapshots of user activity and computer usage data, attackers have enough sensitive data to create a powerful incentive to pay a ransom. The likelihood that this data could contain personal information that poses a threat to an employee’s personal life, and even to their safety, significantly increases the risks of exposure.
Comply with legal requirements
If Recall functions as designed, we should assume that any data the user has accessed in the past six months could potentially be exfiltrated if compromised. The wide range of data collected by the technology makes it difficult to accurately categorize sensitive or regulated information. Beyond the risk of threat actors misusing this data, Microsoft faces the difficult task of ensuring compliance with regulatory standards and preventing serious breaches.
Addressing concerns, but the door remains open
In response to concerns about TotalRecall and its duplication feature, Microsoft has announced the implementation of two new security features. First, the company implemented just-in-time encryption on the database. While this encryption could potentially prevent the exfiltration of databases containing sensitive information, cybersecurity experts have not yet confirmed its effectiveness.
Additionally, Microsoft has introduced a requirement for users to re-authenticate through Microsoft Hello before accessing the Recall feature. However, if attackers are able to bypass additional layers of security, unauthorized access remains a major problem and sensitive data can still be compromised.
Microsoft also highlighted that the Azure AI tool, which analyzes the snapshots captured by Recall, processes data locally in the device’s AppData folder, preventing sensitive information from being sent to the cloud. While this might allay the concerns of some, there is concrete evidence that AI prompts are being manipulated to circumvent security measures in other AI systems. Developers should remain vigilant about the possibility that threat actors could abuse these clues to gain unrestricted access to a device and the information contained within.
Microsoft’s acknowledgment of these concerns is promising, but additional preventive security measures are needed to protect users from attackers who are sitting on the sidelines and looking for ways to exploit new technologies for their malicious activities.
Suggestions for future use
Looking ahead, there are some preventative security measures to keep in mind for the yet-to-be-released tool for future users. Following these guidelines should increase safety assurances.
After enabling Recall, users must be meticulous when configuring the settings, and strategically decide which apps and websites are not under their purview. However, it is critical that users understand that not all applications and browsers are compatible with Recall’s privacy settings.
Users are also advised to deploy robust anti-malware tools or endpoint detection solutions that can alert you if there are any suspicious attempts to access Recall data.
While it is still unclear whether Recall offers the option to shorten the retention period of its database, implementing such an option would limit the amount of data and reduce the opportunities for attackers to exploit it.
Promising a transformative shift in digital forensics, Recall provides a powerful tool for collecting and analyzing evidence thanks to its ability to retrieve data that would otherwise be out of reach. However, before it is implemented, Microsoft must address pressing security concerns and make user safety its overarching priority. We need conclusive evidence that data exposure and the threat of extortion have been eliminated before we can have confidence in its functionality.
We list the best Active Directory documentation tool.
This article was produced as part of TechRadarPro’s Expert Insights channel, where we profile the best and brightest minds in today’s technology industry. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing, you can read more here: