Microsoft’s recall feature is more hackable than you thought

Microsoft CEO Satya Nadella praised the company’s new recall feature, which stores the history of your computer’s desktop and makes it available for artificial intelligence to analyze, as a “photographic memory” of your computer. Meanwhile, within the cybersecurity community, the idea of ​​a tool that silently takes a screenshot of your desktop every five seconds has been hailed as a hacker’s dream come true and the worst product idea in recent memory.

Now, security researchers have pointed out that even the only remaining security safeguard meant to protect this feature from exploitation could be trivially defeated.

Since Recall was first announced last month, the cybersecurity world has pointed out that if a hacker can install malware to gain a foothold on a targeted device with the feature enabled, they can quickly access the entire user history stored by the function. The only obstacle to this high-resolution view of a victim’s entire life in front of a keyboard appears to be that accessing Recall data requires administrator privileges on the user’s device. This means that malware without top-level privilege will trigger a permission pop-up, allowing users to deny access, and this malware will also likely be blocked by default from accessing data on most corporate devices.

Then James Forshaw, a researcher on Google’s Project Zero vulnerability research team, posted on Wednesday Update to a blog post Pointing out that he found ways to access the recall data without Administrator privileges – essentially stripping away even the last fig leaf of protection. “No admin required ;-)” the post ended.

“Damn” Forsho Added on Mastodon. “I really thought the security of the summon database would be at least secure.”

Forshaw’s blog post described two different methods for bypassing administrator privilege requirements, both of which exploit ways to circumvent a core security function in Windows known as access control lists that specify which items on the computer require privileges to read and modify. One Forshaw method exploits an exception to these control menus, temporarily impersonating a program on Windows machines called AIXHost.exe that can access even restricted databases. There’s another, simpler way: Forshaw points out that because the recall data stored on the device is considered the property of the user, a hacker with the same privileges as the user could simply rewrite the access control lists on the target device to give themselves access to the full database. .

This second, simpler bypass technique is “pretty amazing, frankly,” says Alex Hagina, a cybersecurity strategist and ethical hacker. Hagenah recently built a proof-of-concept hacking tool called TotalRecall designed to show that someone who gained access to a victim’s device using Recall could instantly pull all user history recorded by the feature. However, Hagina’s tool still requires hackers to find another way to gain administrator privileges through a so-called “privilege escalation” technique before its tool can work.

With Forshow’s technology, “You don’t need any privilege escalation, no pop-ups, nothing,” Hagina says. “It would make sense to implement this in the tool for a bad guy.”