With Microsoft continuing the push to deliver their controversial Recall feature across Windows 11 devices, I ask whether it is time for businesses to reconsider BYOD policies?
What is Recall?
Microsoft first announced their new Recall feature earlier in the year, which prompted a significant backlash from the cyber security community and privacy advocates.
Recall is a new AI-based feature from Microsoft that takes a screenshot in Windows every 5 seconds and catalogues them in a locally encrypted database. The user can then use natural language to query this “explorable timeline of the past” to search for previous activities they may be trying to ‘recall’. For example, the user could ask Recall to look for information from a webpage they visited a few days ago, but have now forgotten the name of. Using a query like “what was the webpage I was looking at that listed all the Italian restaurants in Bruges?”.
Microsoft initially intended to release Recall to all Windows 11 PC’s as part of the 24H2 Feature update scheduled for October 2024. The original proposal was to enable the feature by default, but following much criticism and concern from security researchers and privacy advocates, a delay to the roll out was announced and confirmation Recall would become Opt-In.
Recall will now only be included as an opt-in feature to the new Windows 11 Co-Pilot+ PC’s, but nevertheless, there are indications that Recall is a key strategy for Microsoft and therefore likely to be developed further, with concerns that the underlying driver is to eventually feed data to Microsoft’s AI learning platforms.
Security Concerns
Whilst Microsoft are positioning Recall as a fairly innocuous capability that aims to support end users in finding previous activity on their computers, there are genuine security and privacy concerns that may have wider implications than perhaps have been considered. A cache of images on an individuals device, cataloguing the user’s activity every 5 seconds, day after day, will be a treasure trove to threat actors looking to harvest personal data, account credentials, and financial information. The ability to query the dataset using natural language provides an additional layer of convenience for the attacker: “What was the last transaction I performed in online banking” could be a popular search term for hackers! When you consider the applications typically used in a single day, such as Online banking, password safe access, email communications, and document creation and editing, the amount of sensitive data that could potentially be exposed through Recall is significant.
In fairness, access to the encrypted database will require access to the device itself and the appropriate user privileges. However, this is a common hurdle for many threat actors and we are all too aware that gaining remote access to systems through a myriad of exploits is the modus operandi of many hackers. For a threat actor who has gained access to a system and installed a RAT (Remote Access Tool), they could interrogate the database at their leisure, while the end user is blissfully unaware that their personal computing activities are being analysed.
Implications for BYOD
When we consider this risk in the context of business users, the potential for a breach of sensitive business data or Personally Identifiable Information (PII) will increase through the introduction of Recall.
Naturally, Microsoft recognise that in enterprise environments, Recall is unlikely to be an accepted feature, and therefore the typical centralised controls such as Group Policy, can prevent Recall from ever being enabled on corporate systems. Many smaller organisations, however, have adopted Bring Your Own Device policies to help reduce the administrative overhead and costs associated with maintaining an enterprise desktop environment, whilst giving more flexibility to the workforce of the devices they use.
With VDI (Virtual Desktop Infrastructure) implementations increasing in popularity and the use of web-based Office 365 applications, there will be an increasing risk that employees using Recall-enabled devices may be inadvertently capturing company data and storing this locally, in a database that can only be accessed through an account the organisation has no control over. In this scenario the organisation has essentially lost control of the data.
Obviously, companies could instruct their users to disable Recall, but some security researchers are already expressing concerns that Recall options are not being clearly presented within the Windows environment, and in some cases require the use of tools such as PowerShell to fully disable the feature. Others have identified a potential dependency to File Explorer in Windows, whereby disabling Recall resets the File Explorer functionality back to the Windows 10 menu format, with some of the Windows 11 features removed. These findings suggest that Recall may not be easy or convenient to disable for the average user, and therefore this approach may not be straightforward, and even harder to enforce.
The Future of BYOD
Recall presents a challenge to businesses who operate BYOD policies, both in terms of security and regulatory compliance. The potential for business and customer data to be stored on devices outside the control of the organisation will increase the risk of data loss and data breach, that could become intolerable for most organisations to accept, with very few options for robust mitigation.
Microsoft need to acknowledge the risks that this new AI feature presents, and support business by introducing control mechanisms that mitigate the risk in certain scenarios, so organisations can control their data and maintain an acceptable risk profile.