“It’s an act of self harm at Microsoft in the name of AI.”
Total Recall
Microsoft recently announced a new AI-enabled Windows feature called Recall that tracks quite literally everything you do on your computer by regularly taking screenshots and scanning them for relevant information to be recovered later.
If you’re wondering how this isn’t a massive cybersecurity disaster waiting to happen — you’d be right to be concerned.
As Wired reports, security researchers have already shown — two weeks ahead of the tool’s official launch — that the screenshots the feature takes are stored in an unencrypted database, a glaring oversight that could easily allow bad actors to access any information that has ever graced the screen of your Windows device.
Cybersecurity expert Alex Hagenah created an aptly named tool called TotalRecall, which can exploit this oversight by pulling all the data Recall can extract — a public demonstration to warn others of the feature’s daunting implications.
“The database is unencrypted. It’s all plain text,” he told Wired. “It’s a Trojan 2.0 really, built in,” he added, referring to commonly-used spyware.
Everything History
Microsoft is hoping to turn Recall into a “magical” way of retroactively summoning any potentially lost information, from forgotten browser tabs to misplaced files, using AI chatbot-style natural language prompts.
“Search across time to find the content you need,” Microsoft promises in official documentation. “Then, re-engage with it. With Recall, you have an explorable timeline of your PC’s past.”
But as Hagenah demonstrates with his nifty tool, the screenshots created by Recall can easily be swiped from an unsuspecting machine, laying out all of your most sensitive data to hackers on a platter. Even encrypted messages sent over secure messaging platforms like Signal and WhatsApp could easily be recovered.
In short, the potential for abuse is astronomical.
“InfoStealer trojans, which automatically steal usernames and passwords, are a major problem for well over a decade — now these can just be easily modified to support Recall,” cybersecurity researcher Kevin Beaumont noted in a blog post.
Worse yet, as Wired reports, Microsoft has essentially admitted that it won’t hide passwords or other highly sensitive information — and researchers have already found easy ways to recover this data.
For now, Recall is only available in a “preview,” and may go through changes before it’s released later this month.
To cybersec experts, however, the damage has already been done.
“It’s an act of self harm at Microsoft in the name of AI, and by proxy real customer harm,” Beaumont wrote.
“In my opinion — they should recall Recall and rework it to be the feature it deserves to be, delivered at a later date,” he added. “They also need to review the internal decision-making that led to this situation, as this kind of thing should not happen.”
More on Microsoft: Microsoft CEO Bashes Human-Like AI After OpenAI’s Scarlett Johansson Scandal