“TotalRecall Reloaded” device finds a aspect entrance to Windows 11’s Recall database

The drawback, as detailed by Hagenah on the TotalRecall GitHub page, isn’t with the safety across the Recall database, which he calls “rock solid.” The drawback is that, as soon as the consumer has authenticated, the system passes Recall information to a different system course of known as AIXHost.exe, and that course of doesn’t profit from the identical safety protections as the remainder of Recall.

“The vault is solid,” Hagenah writes. “The delivery truck is not.”

The WholeRecall Reloaded device makes use of an executable file to inject a DLL file into AIXHost.exe, one thing that may be completed with out administrator privileges. It then waits within the background for the consumer to open Recall and authenticate utilizing Windows Hello. Once that is completed, the device can intercept screenshots, OCR’d textual content, and different metadata that Recall sends to the AIXHost.exe course of, which might proceed even after the consumer closes their Recall session.

“The VBS enclave won’t decrypt anything without Windows Hello,” Hagenah writes. “The tool doesn’t bypass that. It makes the user do it, silently rides along when the user does it, or waits for the user to do it.”

A handful of duties, together with grabbing the newest Recall screenshot, capturing choose metadata in regards to the Recall database, and deleting the consumer’s whole Recall database, could be completed with no Windows Hello authentication.

Once authenticated, Hagenah says the WholeRecall Reloaded device can entry each new data recorded to the Recall database in addition to information Recall has beforehand recorded.

Bug or not, Recall remains to be dangerous

For its half, Microsoft has stated that Hagenah’s discovery isn’t really a bug and that the corporate doesn’t plan to repair it. Hagenah initially reported his findings to Microsoft’s Security Response Center on March 6, and Microsoft formally categorized it as “not a vulnerability” on April 3.