Over the previous few years, we’ve seen some excessive profile safety issues with laptops from Lenovo, Samsung, and Dell. HP, up till now, had managed to flee any critical points. Based on the Swiss infosec firm ModZero, that’s modified, courtesy of a keylogger embedded (most likely unintentionally) into sure audio drivers used on HP laptops.
HP makes use of Conexant audio chips for a few of its laptops, which suggests it additionally ships Conexant’s included software program and drivers. Right here’s how ModZero describes the problem:
Conexant additionally develops drivers for its audio chips, in order that the working system is ready to talk with the . Apparently, there are some elements for the management of the audio , that are very particular and rely on the pc mannequin – for instance particular keys for turning on or off a microphone or controlling the recording LED on the pc. On this code, which appears to be tailor-made to HP computer systems, there’s a half that intercepts and processes all keyboard enter.
Truly, the aim of the software program is to acknowledge whether or not a particular key has been pressed or launched. As an alternative, nonetheless, the developer has launched quite a lot of diagnostic and debugging options to make sure that all keystrokes are both broadcast via a debugging interface or written to a log file in a public listing on the hard-drive.
Any such debugging turns the audio driver successfully right into a keylogging spyware and adware. On the premise of meta-information of the recordsdata, this keylogger has already existed on HP computer systems since at the very least Christmas 2015.
The keylogger is created by flaws in Conexant’s MicTray64.exe utility. It’s designed to observe keystrokes and reply to consumer enter, most likely to answer instructions to mute or unmute the microphone, or start capturing data inside an utility. Sadly, it additionally writes out all keystroke information right into a publicly accessible file situated at C:UsersPublicMicTray.log. Within the occasion that this log file doesn’t exist, the keystrokes are handed to the OutputDebugString API, permitting any course of to seize this data with out being recognized as a bug.
This conduct seems to have been launched with model 1.zero.zero.46 of MicTray64. ModZero has additionally offered pseudo-code displaying how the MicTray64 utility captures information and outputs it to a log file or permits it to be captured, that data is offered here.
Any utility operating in a consumer session that may monitor debug messages might be modified to log keystroke data based mostly on the best way MicTray64 is applied. There’s no rationalization for why Conexant applied this perform in such vogue and the ModZero group doesn’t suppose it’s intentional. However there’s additionally no strategy to repair the difficulty at this time limit, other than probably uninstalling all audio software program from the system. Deleting the MicTray64.exe utility would appear to work, however this might end in a non-functional microphone.
For now, ModZero recommends that customers examine for and delete or rename the MicTray64 and MicTray purposes (situated at C:WindowsSystem32). If you happen to aren’t snug accessing protected file area inside Home windows, ask somebody for assist — mucking round within the System32 listing with out understanding what you’re doing can destroy your OS set up.
HP, up to now, has not launched any data on how they intend to resolve this problem or made any public remark.