The hacker showed how to easily extract the saved data.
Shortly before the official launch of Windows Recall on new Copilot+ PCs , security researchers demonstrated that preview versions of the tool store screenshots in an unencrypted database.
Ethical hacker Alex Hagenach has released a tool called TotalRecall, which demonstrates how easy it is to extract all the data from this database. Hagenach notes that the database stores all information in plain text. Hagenach posted the tool on GitHub to show off its capabilities and push Microsoft to make changes before launching Recall.
Recall Database
Hagenach explains that TotalRecall automatically finds the Recall database on the laptop and copies it, analyzing all the data. The system can set a date range for retrieving data, for example, for a specific week or day. Extracting one day's worth of screenshots from the Recall database took Hagenach no more than 2 seconds.
Example of TotalRecall output
Among the data that the database stores, there are screenshots of everything that is displayed on the desktop, including messages in the Signal and WhatsApp messengers, which remain even when the disappearing messages feature is enabled. It is worth noting that screenshots are created every few seconds. The websites visited and all displayed text are also recorded.
According to Hagenach, an attacker can get a huge amount of information about their victim, including emails, private conversations, and any sensitive data captured by Recall. The Recall master database is stored in the system directory of your laptop, and it requires administrator rights to access it. However, privilege escalation attacks theoretically allow an attacker to gain remote access to the device.
Hagenach warns that in the case of a corporate BYOD (Bring Your Own Device) policy, there is a risk that employees can take away huge amounts of corporate data stored on their work laptops. This is especially dangerous if employees leave the company on poor terms.
Hagenach's work builds on the research of Kevin Beaumont, who described in detail the amount of information stored by Recall and the ease of extracting it. Beaumont has also created a website where you can download the Recall database and view it instantly. However, he has not yet released the site to the public to give Microsoft time for possible system changes.
Since Recall's announcement in mid-May, researchers have repeatedly compared it to spyware that can track every activity on the device. British regulators even turned to the company's representatives for more information. Social networks also discuss the risk of confiscation of personal devices when crossing the border or being arrested, as well as the possibility of their loss or theft.
Recall remains in the "pre-release" feature stage and, according to Microsoft, may change before the official launch. Beaumont, in his research, claims that the company "should withdraw Recall and redesign it to make the feature worthy and release it later."
Shortly before the official launch of Windows Recall on new Copilot+ PCs , security researchers demonstrated that preview versions of the tool store screenshots in an unencrypted database.
Ethical hacker Alex Hagenach has released a tool called TotalRecall, which demonstrates how easy it is to extract all the data from this database. Hagenach notes that the database stores all information in plain text. Hagenach posted the tool on GitHub to show off its capabilities and push Microsoft to make changes before launching Recall.
Recall Database
Hagenach explains that TotalRecall automatically finds the Recall database on the laptop and copies it, analyzing all the data. The system can set a date range for retrieving data, for example, for a specific week or day. Extracting one day's worth of screenshots from the Recall database took Hagenach no more than 2 seconds.
Example of TotalRecall output
Among the data that the database stores, there are screenshots of everything that is displayed on the desktop, including messages in the Signal and WhatsApp messengers, which remain even when the disappearing messages feature is enabled. It is worth noting that screenshots are created every few seconds. The websites visited and all displayed text are also recorded.
According to Hagenach, an attacker can get a huge amount of information about their victim, including emails, private conversations, and any sensitive data captured by Recall. The Recall master database is stored in the system directory of your laptop, and it requires administrator rights to access it. However, privilege escalation attacks theoretically allow an attacker to gain remote access to the device.
Hagenach warns that in the case of a corporate BYOD (Bring Your Own Device) policy, there is a risk that employees can take away huge amounts of corporate data stored on their work laptops. This is especially dangerous if employees leave the company on poor terms.
Hagenach's work builds on the research of Kevin Beaumont, who described in detail the amount of information stored by Recall and the ease of extracting it. Beaumont has also created a website where you can download the Recall database and view it instantly. However, he has not yet released the site to the public to give Microsoft time for possible system changes.
Since Recall's announcement in mid-May, researchers have repeatedly compared it to spyware that can track every activity on the device. British regulators even turned to the company's representatives for more information. Social networks also discuss the risk of confiscation of personal devices when crossing the border or being arrested, as well as the possibility of their loss or theft.
Recall remains in the "pre-release" feature stage and, according to Microsoft, may change before the official launch. Beaumont, in his research, claims that the company "should withdraw Recall and redesign it to make the feature worthy and release it later."
