When Microsoft CEO Satya Nadella revealed the new Windows AI tool that can answer questions about your web browsing and laptop use, he said one of the “magical” things about it was that the data doesn’t leave your laptop; the Windows Recall system takes screenshots of your activity every five seconds and saves them on the device. But security experts say that data may not stay there for long.

Two weeks ahead of Recall’s launch on new Copilot+ PCs on June 18, security researchers have demonstrated how preview versions of the tool store the screenshots in an unencrypted database. The researchers say the data could easily be hoovered up by an attacker. And now, in a warning about how Recall could be abused by criminal hackers, Alex Hagenah, a cybersecurity strategist and ethical hacker, has released a demo tool that can automatically extract and display everything Recall records on a laptop.

Dubbed TotalRecall—yes, after the 1990 sci-fi film—the tool can pull all the information that Recall saves into its main database on a Windows laptop. “The database is unencrypted. It’s all plain text,” Hagenah says.⁩ Since Microsoft revealed Recall in mid-May, security researchers have repeatedly compared it to spyware or stalkerware that can track everything you do on your device. “It’s a Trojan 2.0 really, built in,” Hagenah says, adding that he built TotalRecall—which he’s releasing on GitHub—in order to show what is possible and to encourage Microsoft to make changes before Recall fully launches.

  • rob200@lemmy.cafe
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    3
    ·
    6 months ago

    What exactly can recall see? Is it just what’s on screen?

    Because, if I’m like most people when I type my password, I keep my passwords hashed on the screen as I type it.

    • lurch (he/him)
      link
      fedilink
      English
      arrow-up
      9
      ·
      6 months ago

      i don’t need your password if i can read your email from the screenshot it took of it

    • CatsGoMOW@lemmy.world
      link
      fedilink
      English
      arrow-up
      7
      ·
      6 months ago

      Do you do any online banking? Do you ever log into any sort of health provider website? These are just two examples of a nearly infinite list of highly private information you would not want other people seeing.

      • formergijoe@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        ·
        6 months ago

        Has your company been involved in some legally dubious activities and you typed up an email concerned about your legally dubious activities before you realize sending an email could be creating a paper trail so you delete the email to talk to someone in person?

      • rob200@lemmy.cafe
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        2
        ·
        6 months ago

        Good points. I can see a few workarounds for this.

        Stop using such services on a copmputer and go back to the old way of banking, going there physically.

        Most normal people won’t use Linux, where could they go? Besides Windows? Chromeos? Probally not Google may copy and paste the concept of recall there. Mac os is too expensive, and Linix is complex to install. Where do normies go?