Researchers find keylogger on selected HP laptops

May 12, 2017 | 11:23

Tags: #bloatware #driver #insecurity #laptop #malware #security

Companies: #hewlett-packard #hp

Security researchers have discovered a major vulnerability in an audio driver, shipped as standard with Hewlett Packard (HP) laptops, which logs every keystroke made on the system - including usernames and passwords - to an unencrypted and world-readable file.

Announced by Modzero earlier this week following its discovery last month by researcher Thorsten Schroeder, the security vulnerability in HP laptops has been traced to a Conexant High-Definition Audio Driver bundled with the systems. Where the driver is supposed to monitor the keyboard to see if media control buttons to adjust the volume or mute the soundcard have been pressed, it has instead been found to be monitoring every single key on the keyboard - then, to compound the problem, storing a record of keys pressed in an unencrypted file on local storage.

While the driver does not appear to make any attempt to send the recorded keystrokes, which include usernames and passwords for local and online services, to remote servers, the flaw is still serious: The logfile is stored in the Public user folder, making it readable by default by any user with access to the system. The data is stored in hexadecimal format, and is quickly converted to plain-text ASCII.

Although the log file is deleted when a user logs out or restarts the system, it's still a major security flaw: Malicious applications can capture credentials and financial information simply by parsing the file without installing a keylogger of their own that could trigger anti-malware systems, while historical versions of the file may still be available post-deletion using digital forensic tools.

Modzero has traced the vulnerability to HP laptops sold since Christmas 2015, including models in the EliteBook, ProBook, ZBook, Elite x2, ZBook, and EliteBook Folio families. Thus far, no patch is available; Modzero recommends deleting the MicTray.exe and MicTray64.exe files from the system, but warns this may deactivate media keys until a patched version can be released and installed.
Discuss this in the forums
YouTube logo
MSI MPG Velox 100R Chassis Review

October 14 2021 | 15:04