AIs New Attack Surface: The Copilot+ PC

2025.10.18.
AI Security Blog
Kliens oldali AI: Új korszak, új támadási felületek

The Dawn of the Copilot+ PC: An AI Security Analysis

The industry is rapidly shifting toward AI-native hardware, and the latest generation of “Copilot+ PCs” represents a new frontier for both capability and risk. These devices are architected around powerful on-device neural processing, moving significant AI workloads from the cloud to the endpoint. As AI security professionals and red teamers, we must dissect this new paradigm to understand the expanded attack surface and novel vulnerabilities it introduces. This analysis will use the technical specifications of Microsoft’s new Surface Pro devices, powered by Snapdragon X Series processors, as a case study for this emerging threat landscape.

Hardware Foundation: The NPU as a High-Value Target

At the core of these new machines is a dedicated Neural Processing Unit (NPU). The specified hardware features a Qualcomm Hexagon NPU capable of 45 TOPS (Trillion Operations Per Second). This significant computational power enables complex AI models to run locally, a design choice with profound security implications.

Kapcsolati űrlap - EN

Do you have a question about AI Security? Reach out to us here:

  • Data Locality vs. Endpoint Risk: While processing data on-device can mitigate some privacy risks associated with cloud transmission, it simultaneously turns the endpoint into a richer, more valuable target. The NPU and the data it processes become a primary objective for attackers who gain local access.
  • NPU Attack Vectors: We must now consider attack vectors targeting the NPU itself. Can malicious code running on the host OS access or manipulate NPU operations? Are there side-channel attacks that could leak information from models running on the Hexagon NPU? The potential for model inversion, membership inference, and weight extraction attacks on local models is a critical area for research.
  • SoC Integration: The NPU is part of the Snapdragon X Elite and X Plus System-on-Chip (SoC), which also integrates the Qualcomm Adreno GPU and LPDDR5x RAM (configurable up to 64GB). This tight integration, while efficient, could introduce complex vulnerabilities where a compromise in one component could impact the security of another, including the NPU’s secure execution environment.

Feature Analysis: “Recall” and the Creation of a Chronological Post-Exploitation Goldmine

Perhaps the most significant new feature from a security perspective is Recall (preview). This function is designed to create an “explorable timeline of your PC’s history” by continuously capturing snapshots of the user’s activity. From an offensive security standpoint, this is a game-changing development.

Red Teaming the Recall Database

For decades, post-exploitation has involved a painstaking process of reconnaissance: hunting for credentials, sensitive documents, and user data scattered across a system. The Recall feature consolidates this effort into a single target.

  • Centralized Sensitive Data: The Recall database effectively becomes a complete, chronologically-indexed record of everything a user has seen or typed. This includes credentials entered into web forms, sensitive information displayed in emails or documents, API keys in developer terminals, and private conversations.
  • Exfiltration Efficiency: An attacker with sufficient privileges no longer needs to deploy keyloggers, screen scrapers, or file system crawlers. Exfiltrating the Recall database provides a near-complete history of user activity, drastically reducing the attacker’s footprint and time-on-target. The key questions are:
    • Where is this database stored on the removable Gen 4 SSDs?
    • What encryption mechanisms protect it at rest?
    • How is key management handled? Is it tied to the user’s login state, or can it be accessed by a SYSTEM-level process?
  • Physical and Insider Threats: If a device is lost or stolen, the Recall database becomes a primary target for offline attacks. Bypassing the OS login could potentially grant an attacker access to a user’s entire digital history. Similarly, malicious insiders with administrative access could easily exfiltrate this data.

While Microsoft states this requires Windows Hello Enhanced Sign-in Security, the sheer existence of such a comprehensive local data store represents a fundamental shift in endpoint risk calculation.

Evaluating the Defensive Posture: “Chip-to-Cloud” Security

To counter these new risks, Microsoft is leaning heavily on its “Secured-core PC” initiative, promoting a “chip-to-cloud security” model. This architecture is built on several key hardware and software components.

  • Microsoft Pluton Security Processor: The integration of the Pluton processor directly onto the CPU die is a significant security enhancement over discrete TPMs. By handling credentials, encryption keys, and attestation within the CPU’s security boundary, it provides robust protection against physical attacks like bus snooping.
  • TPM 2.0: The Trusted Platform Module remains a foundational component for measured boot and platform integrity, likely working in concert with Pluton.
  • Windows Hello with Enhanced Sign-in Security: This feature utilizes virtualization-based security (VBS) to isolate biometric data and authentication processes from the main OS kernel, mitigating credential theft techniques like pass-the-hash.

However, a critical question remains: Do these robust hardware-level protections for boot and identity sufficiently protect the new, massive data stores created by AI features? A secure boot process and isolated biometrics are crucial, but they may not prevent a privileged process, running after a user has authenticated, from accessing and exfiltrating application-level data like the Recall database.

Other AI-Driven Attack Surfaces

Beyond Recall, other on-device AI features introduce novel vectors that warrant scrutiny:

  • Windows Studio Effects: This feature uses the NPU for camera effects like automatic framing and portrait blur. Could a compromised model be loaded to create convincing deepfakes in real-time during a video call, bypassing user intent?
  • Voice and Text Input: The system is designed to interact with Copilot via text and voice. The audio processing pipeline, including the Dual Studio Mics with voice focus, could be a target for eavesdropping or manipulation before the data is passed to the AI.
  • Contextual AI Actions: Features like “Click to Do” analyze on-screen content to suggest actions. This presents a potential vector for prompt injection or manipulation, where crafted on-screen content could trick the AI into suggesting and executing a malicious action.

Conclusion: The New Battleground is On-Device AI

The advent of Copilot+ PCs, exemplified by devices like the new Surface Pro, marks an inflection point for cybersecurity. The integration of powerful NPUs and data-hungry AI features like Recall fundamentally alters the endpoint security landscape.

While hardware security enhancements like Microsoft Pluton provide a stronger foundation, they are pitted against a vastly expanded and more valuable attack surface. The focus for offensive and defensive security professionals must now expand. We must move beyond traditional OS and network vulnerabilities to address the security of the AI models themselves, the NPUs they execute on, and the massive, centralized data stores they create. Red teaming methodologies must evolve to target these new components, and blue teams must develop strategies to monitor, protect, and respond to threats against on-device AI infrastructure.

AI Assistants: Your Newest Security Risk

2025.10.18.

AI: Cybersecuritys Weapon and Shield

2025.10.18.

Contact

Attila Rácz-Akácosi, AI Security Strategy Consultant, Aiq.hu ©

Send an email with the details, and I will help you outline concrete steps toward safer AI operation.
Ai Red Teaming Hungary, Global Ai Safety / LLM Security Audit

Ai Red Teaming Dictionary

AI Security Audit - Checklist