The "Recall" feature has been designed and rolled out in such a shoddy matter that I don't know if you can even call this an "exploit" in the traditional sense. As designed, Recall is irresistible bait for bad actors who will inevitably craft all sorts of methods to harvest its data for the purposes of theft and blackmail.
Microsoft deserves all the opprobrium it's getting over this galactically stupid idea.
Wow, so using this tool, I can now remotely view the Recall database of any Windows PC? Without even knowing the person or touching their computer? Amazing! (Sarcasm)
- - -
A User can access their own data. That isn't an exploit.
I agree that exploit is a strong term here, but when you think about the next time someone in your life falls for a TeamViewer tech support scam, it makes a difference whether the scammers are getting ahold of the contents of their screen at the moment, or everything they’ve done since having the computer.
It seems obvious that MS should put Recall data behind more of an access control than “any process that can read files”.
Everytime I mess up a password, I click the "eye" button to reveal it if I'm alone, so it will likely go into the screenshot.
I type totp code that will be valid for 2 minutes, and they are clear.
I have emails, account numbers and emails.
I have contacts of my network, sites I visits regularly and nick names I use. Sometimes I paste sensitive content in encrypted chats, but hey, now they are in the screenshot.
Then there are nude pics of partners, intimate journaling notes, porn activity, how much I have in the bank, contracts with clients under nda, legal and illegal drugs I order, political alliances, and all the stupid stuff I may do...
Except this thing is opt-out and would put a whole lot of data on tens of millions of computers including things that were never stored by default (credit card numbers, reset codes, e2e encrypted messages etc).
That is irrelevant to the topic of its security being exploited as claimed.
- - -
Most browsers beg to store credit cards by default, e2e encrypted messages are already accessible by the user (because they are one of the "ends"), reset codes are probably in most people's download folders, in the stuff-sent-to-the-printer cache, or forgotten completely (which IMO is worse)
The fact there's now a central repo for it all.
Scraping far more than just "credit card" and "passwords/logins" (personal details ever shown on your screen? Porn? Blackmail much? and don't give me the "if you've nothing to hide" spiel) People you connect to? Hey, now we can make a social graph. Contacts is one thing, but contents of chats? Let's add on more graph data. I mean, sure FB already does that, but there's legal avenues to pursue remedies(in theory). Here? What can you do but get pwned harder.
Stop excusing MS for this poorly thought out feature. They're returning the old ways and should not be given sympathy til they prove they are committed to privacy and security (which this seems to go against after Nadella's "WE MUST MAKE SECURITY FIRST" dictate)
The central repo is called the web browser. Porn is in your web browser's history. People you connect to is in your web browser's history. Content of your chats can be accessed using the cookies in your web browser's cookiejar.
If you are security-aware enough to avoid those issues, then you aren't using a closed-source operating system in the first place.
And now your keylogger doesn't even need to clear the minimal hurdle of using the screen recording APIs to get screen data, it can simply read a folder to defeat "secure" onscreen keyboards and it'll work across the vast majority of (future) computers.
Now thousands of tech-impaired organizations have to proactively go out and find alternatives that don't alienate their users. How many of do you think will get it right as opposed to ever more inconvenient security theater to satisfy compliance checklists?
I don't think this is the case, but it sure seems like something actual scammers would come into forums to downplay. "Relax guys! There's no problem, it's tooooootally safe, trust MS! wink wink."
You are correct about the downplaying. I do not see how this adds any appreciable danger in terms of data stored, that isn't already extremely accessible in a place on the computer with the same permissions that exist for Recall.
In turn, I do not see people complaining about Firefox storing all your browsing history in plain text, your chat history in cache files, so on and so forth.
Probably because Firefox doesn't do this. Firefox's cache is very predictable, and does as it's told: most chat services do not result in information being stored in the cache, once you end the session.
This is like one or two steps away from a Mimikatz with superpowers. Add some OCR and string pattern matching to your payload and you could probably mass harvest certain interesting numbers and strings from your botnet that you previously couldn't.
Uh, Recall does the OCR for you already and you can just search the saved data for stuff like "password" or "credit card". It'd probably be easiest for an attacker to just upload the Recall database as soon as they gain access to the machine and then do all the processing on their own systems rather than trying to do anything that might trigger suspicions or use resources on a victim's machine.
And based on initial estimates, the actual data stored by Recall is pretty small on a daily basis, making exfiltration a potentially very fast process. One researcher was able to use existing info stealer malware to exfiltrate the entire database before windows defender could kick in and remediate the issue.
This is missing the point, and I'd strongly recommend reading Kevin Beaumont's findings presented as a Q&A style post about Recall [0].
This kind of poorly controlled local access makes it significantly more dangerous to use a Windows PC, because it significantly increases the harm/value of info stealing malware and will increase the degree of interest in penetrating windows systems. The fact that it's enabled by default is horrific, especially when you consider that the people most vulnerable are also the least likely to understand or disable the feature.
Before, info stealers would look for specific words/phrases in documents because anything more would be bandwidth/compute prohibitive. Now, such stealers just need to pull the Recall DB, and all of the juiciest information is served up on a platter.
To prove his point, Kevin deployed a piece of common info stealing malware and it was able to exfiltrate the Recall data before Windows Defender could remediate the issue.
This would still be a dangerous architecture even if Windows had a reputation for being impenetrable. Given the reality, this architecture is incomprehensibly bad.
I read the blog post and all I could feel was that if someone did the equivalent of running `chmod -R a+rwX ~` and then running an unauthenticated ssh server. Then yeah, they might have some security problems seen in that post. Their computer is probably already FUBAR from doing this as a habit though so...
The point is that the user doesn’t need to do either of the things you mentioned. Privilege escalation is common and how malware often works. The impact of such escalation just went up significantly.
You seem to be looking at this from the standpoint of a user doing dumb stuff things with their windows configuration (also common) vs. the very active ongoing malware campaigns against windows and how this changes the playing field for such malware and the makers of malware.
In a world where privilege escalation is common and expected, it makes no sense to deploy a database of highly sensitive data without robust security.
It’s a bit like storing money in your car in a city known for high rates of car theft.
For Privilege Esc to be relevant, this would require having execution on the device already, but somehow not on user account (since then they wouldn't need to escalate to access recall data).
If there was Priv Esc, then it doesn't matter how robust the security is because you make your way to root and you win regardless.
The point was that it’s unnecessary for a user to explicitly change the permissions of the home directory as you had described for the data to be at risk.
I agree with your last paragraph, and that is exactly what makes Recall such a big problem, and why the security community is reacting strongly against this feature.
Assuming the attacker wins, which they currently do on a regular basis, they get to know everything about everyone who has used the computer to a degree of detail that is unprecedented both in scope and in detail. The harm of losing this information to an attacker is potentially extreme, with obvious consequences.
Since this is an opt-out feature, Microsoft has essentially guaranteed that a sizable portion of their user base will overnight start feeding attackers more details than they could have ever hoped for.
It’s incompetent, irresponsible, and should be categorically rejected by the tech community.
I say this while also seeing the value of such a feature if it could be implemented safely. I hope someone figures out a safe architecture because I could see a local model trained on everything I’ve ever done on my PC being a transformational capability.
If Recall is such a big problem for that, then what of Thunderbird which would give your entire set of emails to anyone with read permissions, or Firefox which would give your email credentials and in turn your entire set of emails to anyone with read permissions. Unless you make a habit of going through all of your email archive one by one, that information is not going to be in recall. Same thing for Signal, Messenger, et al. Recall sees everything you see. Your credentials and local storage, cookies, cache, et al. see everything you see, and everything you don't see, and things you see on other devices too, and etc etc.
- - -
"Implemented safely" doesn't include security through obscurity. Past having an encrypted home directory, the only practical way to make it more secure than it currently is would be a separate device that records from tapping your monitor's cables.
Microsoft deserves all the opprobrium it's getting over this galactically stupid idea.