'TotalRecall Reloaded' Tool Finds a Side Entrance To Windows 11 Recall Database (arstechnica.com) 29
An anonymous reader quotes a report from Ars Technica: Two years ago, Microsoft launched its first wave of "Copilot+" Windows PCs with a handful of exclusive features that could take advantage of the neural processing unit (NPU) hardware being built into newer laptop processors. These NPUs could enable AI and machine learning features that could run locally rather than in someone's cloud, theoretically enhancing security and privacy. One of the first Copilot+ features was Recall, a feature that promised to track all your PC usage via screenshot to help you remember your past activity. But as originally implemented, Recall was neither private nor secure; the feature stored its screenshots plus a giant database of all user activity in totally unencrypted files on the user's disk, making it trivial for anyone with remote or local access to grab days, weeks, or even months of sensitive data, depending on the age of the user's Recall database.
After journalists and security researchers discovered and detailed these flaws, Microsoft delayed the Recall rollout by almost a year and substantially overhauled its security. All locally stored data would now be encrypted and viewable only with Windows Hello authentication; the feature now did a better job detecting and excluding sensitive information, including financial information, from its database; and Recall would be turned off by default, rather than enabled on every PC that supported it. The reconstituted Recall was a big improvement, but having a feature that records the vast majority of your PC usage is still a security and privacy risk. Security researcher Alexander Hagenah was the author of the original "TotalRecall" tool that made it trivially simple to grab the Recall information on any Windows PC, and an updated "TotalRecall Reloaded" version exposes what Hagenah believes are additional vulnerabilities.
The problem, as detailed by Hagenah on the TotalRecall GitHub page, isn't with the security around the Recall database, which he calls "rock solid." The problem is that, once the user has authenticated, the system passes Recall data to another system process called AIXHost.exe, and that process doesn't benefit from the same security protections as the rest of Recall. "The vault is solid," Hagenah writes. "The delivery truck is not." The TotalRecall Reloaded tool uses an executable file to inject a DLL file into AIXHost.exe, something that can be done without administrator privileges. It then waits in the background for the user to open Recall and authenticate using Windows Hello. Once this is done, the tool can intercept screenshots, OCR'd text, and other metadata that Recall sends to the AIXHost.exe process, which can continue even after the user closes their Recall session.
"The VBS enclave won't decrypt anything without Windows Hello," Hagenah writes. "The tool doesn't bypass that. It makes the user do it, silently rides along when the user does it, or waits for the user to do it." A handful of tasks, including grabbing the most recent Recall screenshot, capturing select metadata about the Recall database, and deleting the user's entire Recall database, can be done with no Windows Hello authentication. Once authenticated, Hagenah says the TotalRecall Reloaded tool can access both new information recorded to the Recall database as well as data Recall has previously recorded. "We appreciate Alexander Hagenah for identifying and responsibly reporting this issue. After careful investigation, we determined that the access patterns demonstrated are consistent with intended protections and existing controls, and do not represent a bypass of a security boundary or unauthorized access to data," a Microsoft spokesperson told Ars. "The authorization period has a timeout and anti-hammering protection that limit the impact of malicious queries."
After journalists and security researchers discovered and detailed these flaws, Microsoft delayed the Recall rollout by almost a year and substantially overhauled its security. All locally stored data would now be encrypted and viewable only with Windows Hello authentication; the feature now did a better job detecting and excluding sensitive information, including financial information, from its database; and Recall would be turned off by default, rather than enabled on every PC that supported it. The reconstituted Recall was a big improvement, but having a feature that records the vast majority of your PC usage is still a security and privacy risk. Security researcher Alexander Hagenah was the author of the original "TotalRecall" tool that made it trivially simple to grab the Recall information on any Windows PC, and an updated "TotalRecall Reloaded" version exposes what Hagenah believes are additional vulnerabilities.
The problem, as detailed by Hagenah on the TotalRecall GitHub page, isn't with the security around the Recall database, which he calls "rock solid." The problem is that, once the user has authenticated, the system passes Recall data to another system process called AIXHost.exe, and that process doesn't benefit from the same security protections as the rest of Recall. "The vault is solid," Hagenah writes. "The delivery truck is not." The TotalRecall Reloaded tool uses an executable file to inject a DLL file into AIXHost.exe, something that can be done without administrator privileges. It then waits in the background for the user to open Recall and authenticate using Windows Hello. Once this is done, the tool can intercept screenshots, OCR'd text, and other metadata that Recall sends to the AIXHost.exe process, which can continue even after the user closes their Recall session.
"The VBS enclave won't decrypt anything without Windows Hello," Hagenah writes. "The tool doesn't bypass that. It makes the user do it, silently rides along when the user does it, or waits for the user to do it." A handful of tasks, including grabbing the most recent Recall screenshot, capturing select metadata about the Recall database, and deleting the user's entire Recall database, can be done with no Windows Hello authentication. Once authenticated, Hagenah says the TotalRecall Reloaded tool can access both new information recorded to the Recall database as well as data Recall has previously recorded. "We appreciate Alexander Hagenah for identifying and responsibly reporting this issue. After careful investigation, we determined that the access patterns demonstrated are consistent with intended protections and existing controls, and do not represent a bypass of a security boundary or unauthorized access to data," a Microsoft spokesperson told Ars. "The authorization period has a timeout and anti-hammering protection that limit the impact of malicious queries."
Since NTSYNC is now implemented in the kernel (Score:5, Informative)
I've left Windows - and not looking back.....
shit like this....
and Bluehammer - that I don't think is getting talked about much.
https://www.youtube.com/watch?... [youtube.com]
Re: (Score:1)
same but its interesting there response was its only a little broken. it will time out and you can not grab alot of data at a time
Recall wasn't there to help the user! (Score:5, Interesting)
TBH, I don't see how the Federal Government can use a Microsoft product and meet their government required security rules. CJIS for example and the handling of CHRI(Federal Criminal Records History Information) scanning and recording every background check that was opened and sending/saving/transmitting the info(somewhere Microsoft wants it?) seems like a huge no-no. Is Recall On/Off and it is managed by who?
Re: (Score:3)
Recall is there to vacuum up all the sensitive data "on" the computer and make it available to Microsoft and their partners for their use.
I liken it to telemetry that can apply to all software / activities on a system - even third-party software - w/o having embed telemetry in any software. Simply screenshot things every few seconds and scan the images with OCR and/or "AI". Truly a horrible situation for the end-users.
Re: (Score:2)
TBH, I don't see how the Federal Government can use a Microsoft product and meet their government required security rules.
Because Microsoft is essentially a branch of the US Government now. It's safest to assume that any data which spends any time unencrypted on either their cloud or "your" computer running Windows is also being perused by Microsoft and therefore the feds.
Re: (Score:2)
Because Microsoft is essentially a branch of the US Government now.
Term you're looking for is a "front". A front for the US government.
Why? (Score:5, Insightful)
Recall, a feature that promised to track all your PC usage via screenshot to help you remember your past activity.
Who asked for this?
Re: (Score:1)
HR dept
Re: (Score:3)
Recall, a feature that promised to track all your PC usage via screenshot to help you remember your past activity.
Who asked for this?
The people at Microsoft who wanted more universal telemetry and activity data, even for non-Microsoft software?
Re: (Score:2)
Who asked for this?
ICE, the FBI, the NSA, and every totalitarian regime anywhere.
Re:Why? (Score:5, Funny)
You could look it up if you had recall!
Re: (Score:2)
Plenty of people want a feature like this. You've never thought "I wish I could remember that X article I read near the beginning of the year"? Technically that article may be in my browser history, but good luck trying to find it though tens of thousands of entries with very poor search. There's been plenty of times I've argued something on social media but didn't back up my claims because I don't bother to keep references to all the papers I read. If that was happening automatically in the background
Well. (Score:4, Funny)
Microsoft has managed to extend your threat... (Score:4, Insightful)
Get your ass to Mars (Score:2)
Because there is no Microsoft there ... yet.
Re: (Score:2)
Don't you watch For All Mankind? Everyone there uses a Zune instead of iThings.
Re: (Score:2)
Yeah, that alternate reality must suck hard. They probably got Windows 11 20 years earlier than we did. Yikes!
Re: (Score:2)
Two Microsoft Outlooks open and not working - coming to a red planet soon.
Re: Get your ass to Mars (Score:2)
Re: (Score:2)
Radiation will kill any people on their way to Mars. If they meet a solar flare on the way, their end will be quicker.
Microsoft's response is on point. (Score:3)
"Yo, man, I found this vulnerability. Recall may be locked down, but the delivery mechanism for the user is essentially broadcasting everything they look at to anybody that might be interested."
Microsoft response: "Yup. It's working exactly as intended. We see zero problems with this behavior."
Could we, maybe, get some regulatory scrutiny on shit like this? Too much of the world still runs on Windows for it to just be a "*shrug* oh well" situation. And too many HR departments are going to demand this shitty feature be on at all times so they have the option of snooping everybody's workday to just shrug it off. Even if it's an opt-in feature, corporations salivate at the idea of an always available trace like this to ignore it. If it's going to exist it needs to be secure.
Or we can just wait for the inevitable, "Oh shit, financial records for $large_corporation_too_big_to_fail were leaked through Recall" story that will ultimately end in some massive government handout to keep the doors open.
Re: (Score:2)
They do have a point. You're recording your recall data under your account. A malicious application running under your account can access that data. Which is pretty much how Windows security has always worked - it applies to the user not the application. Anything running under your account can access anything belonging to you.
Other systems such as Android have a different model, where things belong to the app, and an app can't look at other apps' stuff except in highly restricted circumstances. But that's n
Re: (Score:2)
I.e. There's no OS settings menu option to allow App A to read data from App B. and even if there was, most people wouldn't use it unless prompted to in a social engineering attack. As a result, Google would gate
Microsoft Keylogger Obscurity Fail (Score:2)
News At Elevenses.
I left Windows as main OS because of Recall and AI (Score:2)
Microsoft Recall and AI Class Action Suit (Score:2)