'Disaster': Ex-Microsoft security expert torches Windows' new 'Recall' feature

Microsoft's new Copilot+ AI-powered computer history saving feature, Recall, was already being likened to one of the many fictional dystopian tech products found in episodes of Black Mirror on the very day it was announced last month.

Now that Recall is in the hands of cybersecurity experts, the reaction to the new Microsoft feature is somehow even worse than what critics imagined. 

"Stealing everything you’ve ever typed or viewed on your own Windows PC is now possible with two lines of code," wrote cybersecurity expert Kevin Beaumont, who formerly worked at Microsoft as a Senior Threat Intelligence Analyst, in a new hands-on review of Recall, in which he declares the product a "disaster."

Microsoft's Recall is apparently riddled with security flaws that make a user's entire computer history, including passwords and other sensitive information, openly available to bad actors. 

What is Microsoft's Copilot+ Recall"

For those unaware, Microsoft recently unveiled Recall, a new AI feature built into its Windows operating system. Recall essentially takes constant screenshots in the background while a user goes about their daily computer usage. Microsoft's Copilot+ AI then scans each of these screenshots in order to make a searchable database of every action performed on their computer. 

Recall is kind of like a web browser's web history on steroids as users would not only be able to search for a website they previously visited, but they could also search for a very specific thing that they read or saw on that web page. And, of course, those capabilities are expanded beyond a user's browser history and contain every action they've performed on their computer.

After the announcement, cybersecurity experts immediately shared their issues with the feature, especially after Microsoft confirmed two concerning aspects of Recall: that Recall is on by default, and that passwords and other sensitive information aren't exempt from Recall's history database.

Based on the information that was out there, the UK's Information Commissioner's Office (ICO) even announced an investigation into Recall's security issues too.

Microsoft Recall gets torched

Beaumont shared numerous issues with Recall from a cybersecurity perspective after getting hands on with the feature and how it worked.

His findings very much back up critics' concerns, and flesh out his overall description of Recall as a "disaster."

Recall saves nearly everything

Beaumont found that Recall indeed saves a history of almost everything a user has ever seen on their computer. There are some exceptions Beaumont found such as Microsoft Edge's history when in private mode isn't saved by Recall. However, Google Chrome history when in private mode is saved. Every action, even something as small as minimizing a window, is included in Recall. Full text passwords, financial details, and other sensitive data are also saved.

Recall also saves deleted data. According to Beaumont, Recall will save emails and messages from apps like WhatsApp and keep them, even if the emails and messages are deleted. Furthermore, auto-deleting content like Signal messages are also scraped and saved in Recall's history database.

As Beaumont points out, Recall organizes everything in its database by Application. It's a hacker's dream as they can just steal all your sensitive data in one central location and also know exactly what sensitive information is connected to which apps.

Microsoft is wrong about Recall's security

In using Recall, Beaumont found that Microsoft has been spreading inaccurate information about Recall's security.

For one, Microsoft has been claiming that Recall's history is encrypted. This means that if a thief were to run off with a user's physical computer, they wouldn't be able to steal the data saved by Recall. However, that's only true if the thief couldn't access the computer at all.

As Beaumont explains, once a user logs into their computer, the encrypted data becomes decrypted so that they can access it. All a hacker needs to do is gain remote access to a user's device, via a trojan horse virus for example, and then they would have access to the computer's Recall history.

"In fact, you don’t even need to be an admin to read the database," Beaumont explained.