Microsoft Recall: A game changer with high risks

Representational image depecting cybersecurity protection
(Image credit: Shutterstock)

In June, Microsoft postponed the introduction of its controversial Recall feature following a series of serious security concerns. The AI-powered tool, designed to capture all user activity over the previous six months, was positioned as a solution that helps users track their activities and efficiently find previously visited websites, documents and applications. Microsoft developed Recall to allow users to 'retrace their steps' by capturing screen snapshots every five seconds. The tool saves these images, cataloguing the viewed content using AI, and then offering it back to the user through a search functionality.

For cyber investigators, Recall could be a transformative force in gathering and analyzing evidence, improving both the investigative process and its outcomes. However, noise around cybersecurity concerns is loud – and for good reason. The tool’s ability to capture and duplicate data means that sensitive information could be exposed and leveraged by threat actors.

Jamie Smith

Global Head of Cyber Security Services, S-RM.

Transforming forensics, though gaps remain

Setting security concerns aside, Recall has the potential to revolutionize forensic investigations in the event of cyber incidents. First, its searchable format can dramatically speed up investigations by removing the arduous and time-consuming task of processing large quantities of evidence.

When digital evidence is lost – be it through browser history clearing or file deletion – Recall’s screen capturing ability would step in to ensure that it remains accessible. Equipped with Recall, investigators would also be able to visually verify their results, empowering greater confidence in the veracity of forensics findings.

Despite its advantages, Recall has critical blind spots. Most significantly, the absence of an audit log renders the access of Recall data by threat actors and users untraceable. Threat actors can also evade detection by using applications like Edge’s InPrivate mode, which Recall can’t track, and by engaging in activities hidden from the screen or by user settings. Looking at Recall as a whole, the advantages speak for themselves, but there’s no suggestion that it is the complete solution for investigators aiming to stop threat actors in their tracks.

Unintentionally handing threat actors the upper hand

Recall inherently risks exposing sensitive information that threat actors could exploit, which in the end was the driving force behind Microsoft’s decision to delay its rollout.

Following news of the release of Microsoft Recall, security researchers developed and released a tool named TotalRecall, which can locate, duplicate, and translate the data gathered by the Recall feature in a plaintext database, which is instantly searchable. Since attackers routinely exploit existing tools and systems to achieve their objectives, it is likely they would add TotalRecall to their arsenal, exploiting its insights where possible.

Lastly, Recall would likely elevate the risk of extortion. With access to snapshots of user activity and computer usage data, attackers will possess enough sensitive data to create a powerful incentive to pay a ransom. The likelihood that this data could contain personal information that poses a threat to an employee’s personal life, and even their safety, significantly increases the risks of exposure.

Meeting regulatory requirements

If Recall functions as designed, we must operate under the assumption that all data accessed by the user over the past six months could potentially be exfiltrated if compromised. The wide range of data collected by the technology makes it difficult to accurately categorize sensitive or regulated information. Aside from the risk of threat actors exploiting this data, Microsoft faces the difficult task of ensuring compliance with regulatory standards and preventing serious breaches.

Addressing concerns, but the door remains open

In response to concerns about TotalRecall and its duplication feature, Microsoft announced the implementation of two new security features. First, the company implemented just-in-time encryption on the database. While this encryption could potentially prevent the exfiltration of databases containing sensitive information, cybersecurity experts have not yet confirmed its effectiveness.

Additionally, Microsoft introduced a requirement for users to re-authenticate through Microsoft Hello before accessing the Recall feature. However, if attackers manage to bypass additional layers of security, unauthorized access remains a real concern, and sensitive data could still be compromised.

Microsoft has also emphasized that the Azure AI tool, which analyses the snapshots captured by Recall, processes data locally on the device’s AppData folder, ensuring sensitive information won’t be sent to the cloud. While this might allay the concerns of some, there is concrete evidence of AI prompts being manipulated to bypass security measures in other AI systems. Developers must remain vigilant about the possibility that threat actors could exploit these very prompts to gain unrestricted access to a device and the information within.

Microsoft’s acknowledgement of these concerns is promising, however additional preventive security measures are required to safeguard users from attackers who are on the sidelines looking for ways to exploit new technologies for their malicious activities.

Suggestions for future use

Looking ahead, there are a number of preventive security measures to bear in mind for the yet-to-be released tool for future users. Following these guidelines should increase security safeguards.

After enabling Recall, users should be meticulous in configuring its settings, strategically deciding which apps and websites shouldn’t fall under its remit. However, it is crucial for users to understand that not all applications and browsers are compatible with Recall’s privacy settings.

Users are also advised to deploy robust anti-malware tools or endpoint detection solutions that can alert you if there are suspicious attempts to access Recall data.

Finally, although it is still unclear whether Recall offers the option of shortening the retention period of its database, the implementation of such an option would limit the amount of data and reduce the potential for attackers to exploit it.

Recall promises a transformative shift in digital forensics, offering a powerful tool for evidence gathering and analysis thanks to its ability to retrieve data that would otherwise be out of reach. However, before it is implemented, Microsoft must address pressing security concerns and make user safety the overarching priority. We’ll need conclusive evidence that data exposure and the threat of extortion are eliminated before we can be confident in its functionality.

We list the best Active directory documentation tool.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

Jamie Smith, Global Head of Cyber Security Services, S-RM.