bit-tech.net

Researchers find keylogger on selected HP laptops

Researchers find keylogger on selected HP laptops

HP laptops sold since 2015 have been found to contain a keylogger, built into the Conexant audio driver, which writes all keystrokes to a world-readable and unprotected file.

Security researchers have discovered a major vulnerability in an audio driver, shipped as standard with Hewlett Packard (HP) laptops, which logs every keystroke made on the system - including usernames and passwords - to an unencrypted and world-readable file.

Announced by Modzero earlier this week following its discovery last month by researcher Thorsten Schroeder, the security vulnerability in HP laptops has been traced to a Conexant High-Definition Audio Driver bundled with the systems. Where the driver is supposed to monitor the keyboard to see if media control buttons to adjust the volume or mute the soundcard have been pressed, it has instead been found to be monitoring every single key on the keyboard - then, to compound the problem, storing a record of keys pressed in an unencrypted file on local storage.

While the driver does not appear to make any attempt to send the recorded keystrokes, which include usernames and passwords for local and online services, to remote servers, the flaw is still serious: The logfile is stored in the Public user folder, making it readable by default by any user with access to the system. The data is stored in hexadecimal format, and is quickly converted to plain-text ASCII.

Although the log file is deleted when a user logs out or restarts the system, it's still a major security flaw: Malicious applications can capture credentials and financial information simply by parsing the file without installing a keylogger of their own that could trigger anti-malware systems, while historical versions of the file may still be available post-deletion using digital forensic tools.

Modzero has traced the vulnerability to HP laptops sold since Christmas 2015, including models in the EliteBook, ProBook, ZBook, Elite x2, ZBook, and EliteBook Folio families. Thus far, no patch is available; Modzero recommends deleting the MicTray.exe and MicTray64.exe files from the system, but warns this may deactivate media keys until a patched version can be released and installed.

3 Comments

Discuss in the forums Reply
Paradigm Shifter 13th May 2017, 03:04 Quote
That is crazy. Who on earth thought that was a good idea, Conexant? Fire them immediately. And their manager.
TheMadDutchDude 13th May 2017, 03:28 Quote
Uh ooh. They do the audio on my Ultrabook. :D
desertstalker 13th May 2017, 04:05 Quote
Sounds like someone forgot to turn the debug logging off...
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums