{"id":33430,"date":"2024-06-25T11:29:18","date_gmt":"2024-06-25T09:29:18","guid":{"rendered":"https:\/\/www.kaspersky.co.za\/blog\/?p=33430"},"modified":"2024-06-25T11:29:18","modified_gmt":"2024-06-25T09:29:18","slug":"how-to-disable-copilot-recall-spyware","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.za\/blog\/how-to-disable-copilot-recall-spyware\/33430\/","title":{"rendered":"Don’t forget about Recall, because Recall won’t forget about you"},"content":{"rendered":"

In May 2024, Microsoft introduced a new feature for Windows 11 called Recall<\/em><\/a>, which \u201cremembers\u201d everything you\u2019ve done on your computer over the last few months. Let\u2019s say you want to Recall<\/em> something you did on your computer recently. You enter into the search bar something like \u201cphoto of red car sent to me\u201d, or \u201cKorean restaurant I was recommended\u201d \u2014 and receive answers in the form of links to apps, websites, or documents, paired with a thumbnail image of the screen captured the moment you were looking at the requested item!<\/p>\n

\"Recall<\/a>

Recall remembers everything you did on your computer in the last few months. Perhaps even things you\u2019d rather forget. Source<\/a><\/p><\/div>\n

What Recall<\/em> does is take a screenshot every few seconds, which it saves in a folder on your computer. Then it analyzes all the images using AI in the background, extracts all the information from them, and places it into a database to be used for an AI-powered smart search.<\/p>\n

Although all operations take place locally on the user\u2019s machine, Recall<\/em> sparked alarm among cybersecurity pros as soon as it was unveiled due to the many potential risks. The initial implementation of Recall<\/em> was pretty much unencrypted, and available to any user of the computer. Under pressure from the infosec community, Microsoft announced<\/a> improvements to the feature even before the public release, which was postponed from June 18 until around the end of the fall 2024. Yet, even with the promised tweaks, Recall<\/em> remains controversial.<\/p>\n

The dangers of Recall<\/h2>\n

All key data can be stolen in one fell swoop.<\/strong><\/p>\n

The primary risk of Recall<\/em> is that all sensitive data \u2014 from medical diagnoses and password-protected conversations to bank statements and private photos \u2014 ends up stored in one place on the computer. If a threat actor gains access to your computer or infects the machine with malware, all they need do is copy the contents of a single folder, and all your secrets are spilled. While tons of screenshots are a little trickier to steal due to their large size, the text part with recognized information could be snatched in a matter of seconds.<\/p>\n

Worse still, if an attacker manages to stealthily download the screenshots, they\u2019d be able to reconstruct everything you\u2019ve done on your computer over the last few months \u2014 almost second by second. Recall<\/em> can save up to three months of history unless it runs out of space (by default \u2014 10% of drive capacity, but no more than 150GB).<\/p>\n

While in the past infostealers would primarily target login credentials<\/a>, crypto wallet data<\/a>, and browser cookies<\/a>, this list will soon be headed by Recall<\/em> databases. Concerned infosec experts have wasted no time in creating a demo utility<\/a> to show just how easy it is to extract data \u2014 even remotely<\/a>.<\/p>\n

Questionable data encryption. <\/strong>In the initial version of Recall<\/em>, screenshots and databases with recognized texts were stored in open form. This prompted cybersecurity experts to demonstrate<\/a> how to bypass OS restrictions and gain access to Recall<\/em> databases and screenshots of any user on the computer. To address this issue, Microsoft promises additional encryption of the databases themselves with on-the-fly decryption. However, no one has seen the implementation of this feature yet, and there\u2019s a good chance that decryption on a local computer will pose no difficulty. As with BitLocker full-disk encryption, this encryption can protect against evil-maid attacks<\/a>, but it does nothing to help those who might leave their computer unlocked or put it to sleep, or who get infected with an infostealer.<\/p>\n

Poorly policed confidential data<\/strong>. Microsoft states<\/a> that the Recall<\/em> database will store passwords, financial data, and other sensitive data that gets displayed on-screen. Unless the user has \u201cpaused\u201d Recall<\/em>, only private windows<\/a> (in Edge, Chrome, Opera or Firefox) and DRM-protected data (for example, Netflix movies) are excluded from the database. Backup recovery codes for online accounts? Disappearing chat messages? An email you thought it best to delete? All this will remain in the Recall<\/em> database, and you won\u2019t be able to surgically remove individual data fragments \u2014 you\u2019d have to clear all information over a long period. Otherwise, anyone who sits down at your unlocked computer would be able to spy on your confidential data \u2014 the kind that banks, clinics, and online services hide behind passwords and two-factor authentication. To mitigate this issue, Microsoft has issued assurances that access to the Recall<\/em> application on a local computer will require additional user authentication.<\/p>\n

\"Backup<\/a>

Backup access recovery codes will also end up in the Recall database, wrecking the entire multi-factor authentication security model<\/p><\/div>\n

Risks at work and at home. <\/strong>Detailed, easily searchable information about computer activity dating back months could cause problems for those who\u2019ve an overly demanding boss, nosey housemate, or jealous other half. The temptation will be there to use Recall<\/em> to track work performance, marital fidelity, and much more.<\/p>\n

Default mode.<\/strong> Initially, Recall<\/em> was supposed to be enabled by default, but under public pressure Microsoft said this would not be the case. Now, when installing Windows yourself you\u2019re prompted to enable Recall<\/em>, which is now disabled by default. However, those whose computer came with Windows 11 already configured (for example, at work) would have to check the presence and operating mode of Recall<\/em> themselves.<\/p>\n

Where to look for Recall<\/h2>\n

Currently, Microsoft claims that Recall<\/em> will only be available on Copilot+ computers<\/a> equipped with both a special Neural Processing Unit (NPU) and Windows 11. In practice, experts have successfully run Recall<\/em> on other computers<\/a>. Machines with ARM processors are best suited for this, but the feature can also be activated (albeit with some difficulties<\/a>) on computers with x86 architecture \u2014 and even on virtual machines in Azure<\/a>. What\u2019s clear is that Recall<\/em> requires no unique hardware to work, which means that in due course the feature will become available for all Windows computers with enough power. Given Microsoft\u2019s practice in recent years of \u201coffering\u201d features by automatically activating them on users\u2019 computers, you might get an unwanted AI assistant without even realizing it.<\/p>\n

How to check for Recall<\/h2>\n

Recall <\/em><\/p>\n

can\u2019t be installed on Windows 10 machines or earlier. On Windows 11, you can check for the feature by typing Recall<\/em> in the Start menu search bar. If an application with this name appears in the search results, it\u2019s installed and needs to be configured or disabled.<\/p>\n

How to mitigate the risks posed by Recall<\/h2>\n

Some categories of users are advised to disable Recall<\/em> entirely. This includes those who:<\/p>\n