Security News > 2024 > June > TotalRecall shows how easily data collected by Windows Recall can be stolen

Ethical hacker Alexander Hagenah has created TotalRecall, a tool that demonstrates how malicious individuals could abuse Windows' newly announced Recall feature to steal sensitive information.

Copilot+ Recall takes snapshots of the computer's screen ever few seconds, encrypts and stores the snapshots locally, uses optical character recognition to extract relevant information that users may search for later, and and stores this data locally in an SQLite database, in plain text.

Security researcher Kevin Beaumont tested the feature and proved that the exfiltration of Recall databases can be automated.

"During testing this with an off the shelf infostealer, I used Microsoft Defender for Endpoint - which detected the off the shelve infostealer - but by the time the automated remediation kicked in my Recall data was already long gone."

TotalRecall finds the Recall database, copies the taken screenshots and the SQLite database to an extraction folder, parses the databases for artifacts specified by the user, and then delivers a summary that includes those artifacts.

Copilot+ Recall is scheduled to be released on June 18, 2024.

News URL

https://www.helpnetsecurity.com/2024/06/05/totalrecall-windows-recall-abuse/