(Source – Board Stewardship)
Microsoft’s Latest AI Tool Raises Eyebrows
When Microsoft CEO Satya Nadella introduced the new Windows AI tool, known as Recall, he emphasized its groundbreaking feature: the data it collects never leaves your laptop. Designed to capture screenshots every five seconds and store them locally, Recall aims to assist users in retrieving their web activity and other laptop uses through natural language queries. However, cybersecurity experts are raising alarms about the potential security risks associated with this feature.
Security Flaws Uncovered
With Recall set to launch on new Copilot+ PCs on June 18, security researchers have already identified significant vulnerabilities in the tool’s preview versions. Alex Hagenah, a cybersecurity strategist, has demonstrated how the unencrypted storage of these screenshots makes them susceptible to exploitation. He has developed a demo tool called TotalRecall, which can extract and display all data recorded by Recall on a laptop.
Hagenah’s findings reveal that Recall’s database is stored in plain text, making it easily accessible to attackers. His demonstration aims to push Microsoft to address these security flaws before the official launch. Comparisons to spyware and concerns about potential misuse by hackers and domestic abusers underscore the urgency of these issues. TotalRecall can quickly locate and copy the Recall database, enabling attackers to gather extensive information, including messages from encrypted apps and sensitive personal data.
Implications and Responses
The implications of these security flaws are significant. Images captured by Recall can include sensitive information such as emails, personal conversations, and even passwords. Hagenah’s work builds on earlier research by cybersecurity expert Kevin Beaumont, who has shown how easy it is to extract this data. Beaumont has also created a website for searching Recall databases, though he has withheld its release to give Microsoft time to address these concerns.
Microsoft’s official stance highlights that Recall’s data remains on the local device and does not get transmitted to their servers. Users have the option to disable, pause, or filter the screenshot feature. Despite these assurances, the potential for data misuse remains a significant concern. Beaumont and other researchers argue that the current state of Recall’s security is unacceptable and call for a thorough review and rework of the feature.
As Recall approaches its official launch, Microsoft faces mounting pressure to resolve these security issues. The UK’s Information Commissioner’s Office has requested more information about Recall and its privacy implications, reflecting widespread concern. Security experts advocate for delaying Recall’s release until these vulnerabilities are adequately addressed, ensuring that the Windows AI tool can be safely integrated into users’ devices without compromising their privacy.
In conclusion, while Microsoft’s Recall Windows AI tool promises innovative functionality, its current security flaws pose substantial risks. The tech giant must prioritize resolving these issues to maintain user trust and ensure the tool’s safe deployment.
