Microsoft Windows: Recall or “How I learned to keep worrying and hate the TEMPEST"

In the story of the “Emperor’s New Clothes” conmen convince the Emperor that he is buying the best quality wardrobe possible. In reality he is being sold fancy clothes that do not exist. And he ‘wears’ them in public, with nearly nobody daring to tell him he’s exposed. On the other hand with Microsoft’s Recall “feature”, nearly all Cybersecurity experts are telling Microsoft that their customers are exposed.

Has Microsoft never heard of TEMPEST?

As many others have stated, Microsoft has a plethora of skilled and knowledgeable cybersecurity researchers. A multitude of CISSPs even[1]. If one were to describe what Recall does to a CISSP, they would likely void their bladders. Screenshots of the Three P’s of intelligence gathering PII, Passwords and other Potentially compromising secrets.

The CISSP Body of Knowledge includes TEMPEST as a potential threat. TEMPEST refers to attacks that steal information from one’s computer screen. Traditionally, to the Public, it was known as ‘Van Eck phreaking’ named after the author of the first public paper that described such attacks. And involving older CRT monitors that leaked electromagnetic signals from cables and the screen itself. Electromagnetic signals that bad guys with a directional radio antenna and their own CRT monitor could receive, reconstructing the image on the victim’s screen. This was enough of a concern that the US Department of Defense has standards for securing hardware and cabling to restrict leakage. The NSA also has a TEMPEST Certification Program to certify TEMPEST proof hardware.

The end goal of a TEMPEST attack is to acquire sensitive screenshots from a victim’s computer. Microsoft’s Recall feature skips all the middle steps and stores a collection of those sensitive screenshots locally. Microsoft is being warned that they are doing a majority of the criminals’ jobs for them. A criminal that can get a victim to run malware or spyware on their system can gain complete access to these local screenshots. Crooks already exfiltrate data with ransomware and spyware.

Should we be worried?

Absolutely. Cybersecurity researchers worked out methods to extract the screenshots within a day of the initial Recall announcement. Shortly after additional functionality, like exfiltration over the Internet were added by other researchers. These are Proof of Concepts to show the risk and danger we’re telling Microsoft about are valid. The organized crime groups will be doing the same, and they don’t tell victims that they’re doing so.

The middle step of a TEMPEST attack is like a Police sting, it’s a lot of waiting and monitoring to get the target to do something worth capturing. If Recall is a standard feature of every Windows installation, attackers can come by a target system every quarter and download a news stash of potentially compromising information.

But Microsoft just set the feature’s default setting to ‘OFF’

Yes, and the feature that keeps a picture of everything on your screen still exists, requiring a silent flip of a switch to get it working.

This is a shifting of the Overton window of Cybersecurity Best Practices.

1. New features should not record sensitive information to an insecure medium. “Gold bars are better in a large safe, than on the living room coffee table.”
2. Security should be included at the Architecture stage and not as an afterthought. “Shut the barn door before the horses have left.”

Others have suggested ‘recall should be recalled’. That may not be necessary. Microsoft changed their image almost two decades ago from a cybersecurity soft target to one that takes security seriously and has become a harder target.

Microsoft needs to protect its customers, Recall is not the way.

[1] A collection of CISSPs, an (ISC)2 if you will.

Originally published: 06/07/2024