The problem, as Hagenah details on the TotalRecall GitHub page, is not with the security around the recall database, which he calls “rock solid.” The problem is that, once the user is authenticated, the system passes the recall data to another system process called AIXHost.exeAnd He The process does not benefit from the same security protections as the rest of the recall.
Hagenah writes, “The safe is solid.” “Not a delivery truck.”
totalRecall reloaded tool uses an executable file to inject the DLL file AIXHost.exeSomething that can be done without administrative privileges. It then waits in the background for the user to open the recall and authenticate using Windows Hello. Once this is done, the tool can intercept screenshots, OCR’d text and other metadata it sends to Recall. AIXHost.exe The process, which may continue even after the user closes his or her recall session.
Hagenah writes, “VBS Enclave won’t decrypt anything without Windows Hello.” “The tool doesn’t bypass that. It makes the user do it, runs silently while the user does it, or waits for the user to do it.”
Some tasks, including capturing the latest recall screenshot, capturing selective metadata about the recall database, and deleting a user’s entire recall database, can be performed without Windows Hello authentication.
Once certified, Hagenah says the TotalRecall Reloaded tool can access new information entered into the recall database as well as data previously recorded by the recall.
Bug or not, recall is still risky
For its part, Microsoft has said that Hagenah’s discovery is not actually a bug and that the company is not planning to fix it. Haganah originally reported its findings to Microsoft’s Security Response Center on March 6, and Microsoft officially classified it as “not a vulnerability” on April 3.
<a href