Microsoft’s latest innovation, Copilot Plus, boasts a groundbreaking feature – the Window’s Recall function, designed to ‘enhance productivity’ by leveraging advanced AI capabilities.

Published 6.7.2024

Redspin Blog

Author: Tara Lemieux, CMMC Consultant, PA/PI/CCP/CCA/ISO Lead Auditor

Recall allows users to search through their PC’s history using a visual interface, making it easy to retrieve past information. While this feature promises to be a game-changer in terms of convenience and efficiency, it also raises significant concerns about privacy and security, especially for environments handling highly sensitive data – and specifically, because the Recall function utilizes screen captures to record a user’s complete history.

How Recall Works

Recall operates like a digital photographic memory, taking snapshots of whatever is displayed on your screen every few seconds and storing these images locally on your device. These snapshots are encrypted locally and can be accessed through a timeline interface, allowing users to find specific content by describing what they are looking for or navigating through the visual history.

But are they secure?

For example, imagine you are working on multiple projects simultaneously. With Recall, you can easily go back and find that crucial piece of information you saw a few days ago without having to remember the exact document or webpage it was in. This can be incredibly useful for both personal productivity and professional work – but it also introduces significant privacy and security concerns, particularly as it pertains to U.S. regulatory compliance such as the Health Insurance Portability and Accountability Act (HIPAA), Electronic Communications Privacy Act (ECA) and so much more.

Privacy and Security Concerns

While the convenience of Recall is attractive, it also introduces potential risks, especially in environments that handle sensitive information such as ITAR (International Traffic in Arms Regulations), EAR (Export Administration Regulations), or Controlled Unclassified Information (CUI).

  1. Unintended Data Capture:

One of the primary concerns is that Recall could inadvertently capture sensitive information. For instance, if you are viewing confidential emails, proprietary documents, or secure applications (such as, through a secondary secure portal), these could be included in the snapshots. Even though the data is stored locally and encrypted, any breach or unauthorized access to the device could potentially expose this sensitive information.

  1. Regulatory Compliance:

Organizations dealing with ITAR/EAR or CUI must adhere to stringent data handling and storage regulations. The use of Recall must be carefully evaluated to ensure it does not violate these regulations. For example, storing snapshots of sensitive documents, even temporarily, could be a compliance risk. This is particularly critical for industries like defense, aerospace, and government contractors.

  1. Potential for Misuse:

If Recall is not properly managed, there is a risk of misuse. Employees might inadvertently or intentionally misuse the feature to access sensitive information that they should not have. This requires robust policy enforcement and monitoring to ensure that the feature is used appropriately.

Real-World Impacts

Example 1: Defense Contractor

A defense contractor working on a classified project could use a Copilot+ PC. While researching specifications, the Recall feature captures snapshots of secure documents. If the device is compromised, those snapshots could provide a detailed timeline of sensitive information, potentially leading to a national security breach.

Example 2: Corporate Environment

In a corporate environment, an employee working on merger and acquisition (M&A) details might use Recall to revisit previous discussions and documents. If these snapshots are not properly managed and the device falls into the wrong hands, it could lead to the exposure of highly sensitive corporate strategies, impacting stock prices and market competition.

If these snapshots are discovered during an audit or investigation, the organization could potentially face significant legal repercussions, including fines and sanctions for non-compliance with data retention laws. This is especially critical for industries under strict regulatory scrutiny like finance, healthcare, and defense.

Recent Exploits

In a recent revelation, cybersecurity experts have uncovered a critical vulnerability in Microsoft’s Recall snapshot feature, which allows unauthorized access to sensitive data through a tool called TotalRecall. This exploit enables attackers to bypass security measures and capture snapshots of a user’s screen, potentially exposing confidential information such as login credentials, financial details, and private communications. The ease with which TotalRecall can be deployed makes it a significant threat, as even users with very basic technical skills can execute the exploit, compromising the security of individuals and organizations alike.

TotalRecall requires local access to the machine to run, and it appears to need privileged or elevated user directory access, which can be granted through various means. For instance, a bad actor could get TotalRecall to run via a service, thereby gaining access to the snapshots. With the current controls, once this access is granted, the security of the stored data is compromised.

It is important to note that this exploit does not appear to affect any Azure cloud services and is intended to only run on specific hardware using ARM-based chips. However, this will need to be closely monitored as things are changing rapidly in the cybersecurity landscape.

Microsoft’s Response

Microsoft has acknowledged the issue and appears to be responding with updates to address the vulnerabilities. For more details, you can read their latest blog post: Update on the Recall Preview Feature for Copilot+ PCs | Windows Experience Blog. However, it remains to be seen how and when these security holes will be fixed and whether the fixes will be comprehensive enough to mitigate the risks effectively.

This exploit highlights the broader risks associated with software vulnerabilities and the importance of remaining vigilant. Likewise, it underscores the criticality of assessing potential security risks associated with tools and technology.

Microsoft has implemented several controls to mitigate these risks. Users can manage which information Recall captures, delete specific snapshots, or even disable the feature entirely if necessary. For environments with heightened security needs, IT administrators can use Microsoft InTune to centrally manage these settings, ensuring compliance with organizational policies.

That said, the responsibility also lies with organizations to conduct regular audits and provide training to ensure employees understand the implications of using Recall. Additionally, keeping the device’s security infrastructure up to date and monitoring for any unauthorized access is crucial.

Mitigation Strategies

  1. Strict Access Controls: Ensure that only authorized personnel can access the Recall function and its snapshots.
  2. Regular Audits: Conduct regular security audits to ensure compliance with data protection and retention policies.
  3. Enhanced Encryption: Use robust encryption methods to protect the snapshots stored by the Recall function.
  4. User Training: Educate employees on the risks associated with the Recall function and best practices for managing sensitive information.
  5. Monitoring and Alerts: Implement monitoring systems to detect any unauthorized access or unusual activity related to the Recall function.

As we continue to integrate advanced AI into our daily workflows, balancing convenience with security will remain a pivotal challenge. The onus is on both technology providers like Microsoft and the end-users to navigate this landscape responsibly.




Book a meeting to start your CMMC journey by filling out the form below