HP Unintentionally Ships Laptop computer Audio Driver With Keylogger Put in

Over the previous few years, we’ve seen some excessive profile safety issues with laptops from Lenovo, Samsung, and Dell. HP, up till now, had managed to flee any critical points. In keeping with the Swiss infosec firm ModZero, that’s modified, courtesy of a keylogger embedded (most likely unintentionally) into sure audio drivers used on HP laptops.

HP makes use of Conexant audio chips for a few of its laptops, which implies it additionally ships Conexant’s included software program and drivers. Right here’s how ModZero describes the problem:

Conexant additionally develops drivers for its audio chips, in order that the working system is ready to talk with the . Apparently, there are some elements for the management of the audio , that are very particular and rely upon the pc mannequin – for instance particular keys for turning on or off a microphone or controlling the recording LED on the pc. On this code, which appears to be tailor-made to HP computer systems, there’s a half that intercepts and processes all keyboard enter.

Truly, the aim of the software program is to acknowledge whether or not a particular key has been pressed or launched. As an alternative, nevertheless, the developer has launched numerous diagnostic and debugging options to make sure that all keystrokes are both broadcast by a debugging interface or written to a log file in a public listing on the hard-drive.

The sort of debugging turns the audio driver successfully right into a keylogging spyware and adware. On the premise of meta-information of the information, this keylogger has already existed on HP computer systems since no less than Christmas 2015.

The keylogger is created by flaws in Conexant’s MicTray64.exe software. It’s designed to observe keystrokes and reply to person enter, most likely to reply to instructions to mute or unmute the microphone, or start capturing data inside an software. Sadly, it additionally writes out all keystroke information right into a publicly accessible file situated at C:UsersPublicMicTray.log. Within the occasion that this log file doesn’t exist, the keystrokes are handed to the OutputDebugString API, permitting any course of to seize this data with out being recognized as a trojan horse.


Conexant doesn’t record “Shock keylogger” as any of its options.

This habits seems to have been launched with model of MicTray64. ModZero has additionally offered pseudo-code exhibiting how the MicTray64 software captures information and outputs it to a log file or permits it to be captured, that data is accessible here.

Any software working in a person session that may monitor debug messages could possibly be modified to log keystroke data based mostly on the way in which MicTray64 is carried out. There’s no rationalization for why Conexant carried out this operate in such style and the ModZero group doesn’t suppose it’s intentional. However there’s additionally no approach to repair the difficulty at this time limit, other than presumably uninstalling all audio software program from the system. Deleting the MicTray64.exe software would appear to work, however this might end in a non-functional microphone.

For now, ModZero recommends that customers examine for and delete or rename the MicTray64 and MicTray purposes (situated at C:WindowsSystem32). In the event you aren’t comfy accessing protected file area inside Home windows, ask somebody for assist — mucking round within the System32 listing with out figuring out what you’re doing can destroy your OS set up.

HP, so far, has not launched any data on how they intend to resolve this difficulty or made any public remark.