Blog
What is Passwork?
By Iliya Garakh, CTO in Security

Recall: Potential security nightmare

In May 2024, Microsoft introduced a new feature for Windows 11 called Recall. This feature allows users to "remember" everything they've done on their computer over the past few months. 

By typing general queries like "photo of the red car someone sent me" or "which Korean restaurant was recommended" into the search bar, users receive results that include links to applications, websites, or documents, along with thumbnail images of their computer screen at the moment they viewed the subject of the query.

How Recall works

To enable this advanced search, Recall takes screenshots of the entire screen every few seconds and saves them in a folder on the computer. These images are then analyzed by AI in the background, extracting information and storing it in a database, which is used for intelligent searches by the AI assistant.

Security concerns

Despite being performed locally on the user's computer, Recall has raised significant security concerns. Initially, the implementation of Recall was barely encrypted and accessible to any computer user. 

Under pressure from the cybersecurity community, Microsoft announced improvements to Recall before its public release, now delayed to late autumn 2024. However, even with promised enhancements, the feature remains controversial.

The risks of Recall

One of the primary risks of Recall is the aggregation of all sensitive data—medical diagnoses, password-protected conversations, bank statements, and private photos—in one place on the computer.

If an unauthorized person gains access or the machine is infected with malware, all this critical information can be stolen by copying a single folder. While stealing screenshots is more challenging due to their volume, the text-based information can be exfiltrated in seconds.

If an attacker manages to extract the database with screenshots, they can almost second-by-second reconstruct everything the user has done on their computer over the past few months. Recall can save up to 3 months of history if the allocated space (default is 10% of the storage, up to 150 GB) is not filled sooner.

The initial version of Recall stored screenshots and the database in an unencrypted format. Cybersecurity experts demonstrated how to bypass OS restrictions and access Recall's databases and screenshots. To address this, Microsoft promises to encrypt the databases and decrypt them "on the fly." However, the effectiveness of this implementation remains unverified, and decryption on the local computer may be straightforward.

Microsoft notes that passwords, financial data, and other sensitive information displayed on the screen will be saved in Recall's database. If Recall is not paused, only private windows in browsers like MS Edge, Chrome, Opera, or Firefox and DRM-protected data are excluded. Recovery codes, disappearing messages, or deleted emails will remain in the database, visible to anyone with access to the unlocked computer.

Managing Recall risks

Users who frequently store sensitive information, are legally required to protect work data, share their computer, suffer from aggressive monitoring, or find AI search unhelpful should disable Recall entirely. Opening settings can do this, navigating to Privacy & Security -> Recall & Snapshots, disabling Save Snapshots, and clicking Delete All to remove previously saved snapshots.

For users who don't want to disable Recall, it's crucial to configure it properly. Exclude applications and websites where sensitive information is viewed, such as banking sites, government services, insurance and medical organizations, password managers, work-related apps, and cryptocurrency-related sites.

Ensure comprehensive cybersecurity protection is installed, as specialized malware could steal months of activity history. Consider:

  • Enabling Bitlocker full-disk encryption.
  • Protecting accounts with strong passwords and biometric access.
  • Setting up and using screen lock when away from the computer.
  • Creating separate accounts or using guest accounts for other users.

Additional considerations

Recall's comprehensive data collection can significantly impact personal privacy. For individuals in challenging situations, such as dealing with overbearing managers or overly curious household members, the detailed activity logs provided by Recall can be particularly concerning. They might be used to track work efficiency, personal communications, and even personal movements over time, leading to potential misuse of sensitive information.

The very features that make Recall useful also make it a potential goldmine for cybercriminals. If cyber attackers gain access to Recall's data, they can gather extensive information about a user's activities, preferences, and sensitive data. This could lead to targeted phishing attacks, identity theft, and other forms of cybercrime. Moreover, the ability to reconstruct a user's activity timeline could be exploited for blackmail or surveillance purposes.

Initially, Microsoft intended for Recall to be enabled by default. However, public pressure led to a change, and now users must opt-in during Windows setup. This opt-in approach gives users control over whether they want to use Recall, but those receiving pre-configured systems, such as from workplaces, should check and manage Recall's settings themselves.

Currently, Microsoft states that Recall will be available only on Copilot+ computers equipped with a special NPU AI chip and Windows 11. However, experts have successfully run Recall on other computers, particularly those with ARM processors, and even on x86 architecture machines and Azure virtual machines. 

This indicates that Recall doesn't require unique hardware, suggesting it may soon be offered to all sufficiently powerful Windows computers. Given Microsoft's tendency to automatically activate new features, users might find Recall enabled without explicit consent.

Recall is not available on Windows 10 or earlier versions. On Windows 11, users can check for Recall by typing "Recall" in the Start menu search bar. If the application appears in the search results, it indicates that Recall is installed and requires configuration or disabling.

Final thoughts

While Microsoft's Recall promises to enhance user experience by providing a comprehensive search and recall capability, it also poses significant privacy and security risks. 

Users must remain vigilant, properly configure the feature, and implement strong cybersecurity practices to mitigate potential threats. Balancing the convenience of Recall with the need to protect sensitive information will be crucial as this feature rolls out more broadly.

A self-hosted password manager for your business

Passwork provides an advantage of effective teamwork with corporate passwords in a totally safe environment

Learn more