The problem, as described in detail by Hagenah TotalRecall GitHub pageNot with security around the Recall database, which he calls “rock solid”. The problem is that after the user is authenticated, the system passes the data to another system process called Callback. AIXHost.exeand that process does not benefit from the same security protections as the rest of Recall.
“The vegetable is firm,” Hagenah writes. “Not a delivery truck.”
The TotalRecall Reloaded tool uses an executable file to include the DLL file AIXHost.exesomething that can be done without administrator privileges. It then waits in the background for the user to turn on Recall and authenticate using Windows Hello. After doing so, the tool can capture screenshots, OCR text, and other metadata that Recall sends. AIXHost.exe is a process that can continue even after the user has closed the Recall session.
“The VBS enclave won’t decrypt anything without Windows Hello,” writes Hagenah. “The tool doesn’t bypass it. It forces the user to do it, walks around silently when the user does it, or waits for the user to do it.”
A number of tasks can be performed without Windows Hello authentication, including taking a screenshot of the latest Recall, capturing selected metadata about the Recall database, and deleting the user’s entire Recall database.
After verification, Hagenah he says The TotalRecall Reloaded tool can access both new data recorded in the Recall database as well as previously recorded data of Recall.
Mistake or not, Recalls are still risky
For its part, Microsoft said that Hagenah’s discovery was not actually a bug and that the company has no plans to fix it. Hagenah first reported his findings to Microsoft’s Security Response Center on March 6, and Microsoft officially classified it as “not a vulnerability” on April 3.
