HP By chance Ships Laptop computer Audio Driver With Keylogger Put in

Over the previous few years, we’ve seen some excessive profile safety issues with laptops from Lenovo, Samsung, and Dell. HP, up till now, had managed to flee any severe points. In response to the Swiss infosec firm ModZero, that’s modified, courtesy of a keylogger embedded (most likely by chance) into sure audio drivers used on HP laptops.

HP makes use of Conexant audio chips for a few of its laptops, which suggests it additionally ships Conexant’s included software program and drivers. Right here’s how ModZero describes the problem:

Conexant additionally develops drivers for its audio chips, in order that the working system is ready to talk with the . Apparently, there are some elements for the management of the audio , that are very particular and rely on the pc mannequin – for instance particular keys for turning on or off a microphone or controlling the recording LED on the pc. On this code, which appears to be tailor-made to HP computer systems, there’s a half that intercepts and processes all keyboard enter.

Really, the aim of the software program is to acknowledge whether or not a particular key has been pressed or launched. As an alternative, nevertheless, the developer has launched various diagnostic and debugging options to make sure that all keystrokes are both broadcast by way of a debugging interface or written to a log file in a public listing on the hard-drive.

Any such debugging turns the audio driver successfully right into a keylogging adware. On the premise of meta-information of the information, this keylogger has already existed on HP computer systems since at the very least Christmas 2015.

The keylogger is created by flaws in Conexant’s MicTray64.exe software. It’s designed to observe keystrokes and reply to person enter, most likely to reply to instructions to mute or unmute the microphone, or start capturing data inside an software. Sadly, it additionally writes out all keystroke knowledge right into a publicly accessible file positioned at C:UsersPublicMicTray.log. Within the occasion that this log file doesn’t exist, the keystrokes are handed to the OutputDebugString API, permitting any course of to seize this data with out being recognized as a bug.


Conexant doesn’t checklist “Shock keylogger” as any of its options.

This conduct seems to have been launched with model of MicTray64. ModZero has additionally offered pseudo-code displaying how the MicTray64 software captures knowledge and outputs it to a log file or permits it to be captured, that data is obtainable here.

Any software working in a person session that may monitor debug messages may very well be modified to log keystroke data primarily based on the way in which MicTray64 is applied. There’s no rationalization for why Conexant applied this perform in such style and the ModZero workforce doesn’t suppose it’s intentional. However there’s additionally no approach to repair the difficulty at this time limit, other than presumably uninstalling all audio software program from the system. Deleting the MicTray64.exe software would appear to work, however this might lead to a non-functional microphone.

For now, ModZero recommends that customers verify for and delete or rename the MicTray64 and MicTray purposes (positioned at C:WindowsSystem32). If you happen to aren’t snug accessing protected file house inside Home windows, ask somebody for assist — mucking round within the System32 listing with out understanding what you’re doing can destroy your OS set up.

HP, so far, has not launched any data on how they intend to resolve this difficulty or made any public remark.

About the author