Slashdot Mirror

← Back to Stories (view on slashdot.org)

Keylogger Found in Audio Driver of HP Laptops, Says Report (bleepingcomputer.com)

Posted by msmash on from the security-woes dept.

An anonymous reader writes: The audio driver installed on some HP laptops includes a feature that could best be described as a keylogger, which records all the user's keystrokes and saves the information to a local file, accessible to anyone or any third-party software or malware that knows where to look. Swiss cyber-security firm modzero discovered the keylogger on April 28 and made its findings public today. According to researchers, the keylogger feature was discovered in the Conexant HD Audio Driver Package version 1.0.0.46 and earlier. This is an audio driver that is preinstalled on HP laptops. One of the files of this audio driver is MicTray64.exe (C:\windows\system32\mictray64.exe). This file is registered to start via a Scheduled Task every time the user logs into his computer. According to modzero researchers, the file "monitors all keystrokes made by the user to capture and react to functions such as microphone mute/unmute keys/hotkeys."

23 of 116 comments (clear)

  1. Never assume... by thegreatbob · · Score: 3, Insightful

    Was this malice or stupidity? Perhaps both?

    --
    There is no XUL, only WebExtensions...
    1. Re:Never assume... by Joce640k · · Score: 2

      Never attribute to one that which can adequately be explained by the other.

      --
      No sig today...
    2. Re:Never assume... by Calydor · · Score: 3, Insightful

      Malice.

      It had NO REASON WHATSOEVER to keep a logfile for the keystrokes. Listen to the keyboard for a hotkey or combo? Sure thing, that's what these programs HAVE to do. But a logfile? WHY? Was it gonna check if it MISSED SOMETHING two hours ago?

      --
      -=This sig has nothing to do with my comment. Move along now=-
    3. Re:Never assume... by MightyMartian · · Score: 3, Insightful

      I can't sort out how it would be an accident. Sometimes these things are due to debugging modes not being turned off on the production release, but what debugging mode in an audio driver would require logging keystrokes?

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    4. Re:Never assume... by Anonymous Coward · · Score: 5, Insightful

      Perhaps used originally for debug, but not removed for release builds. Which would be stupidity.

    5. Re:Never assume... by K.+S.+Kyosuke · · Score: 2

      Not to mention that bugging is the polar opposite of debugging.

      --
      Ezekiel 23:20
    6. Re:Never assume... by bws111 · · Score: 2

      Well it does say that the driver is looking for things like mute/unmute and other hotkeys, so I guess if you are debugging those functions you may want to log the keystrokes you see.

    7. Re:Never assume... by Wonda · · Score: 4, Insightful

      Could well have been for debugging, and they forgot to take it out again.

    8. Re:Never assume... by ShanghaiBill · · Score: 4, Informative

      but what debugging mode in an audio driver would require logging keystrokes?

      One reason would be to replay a sequence of keystrokes to verify that a bug has been fixed.

      My company has an internal app that logs input (keystrokes, mouse movements). If the program crashes, the keylog is emailed along with the stack trace to the responsible programming team. This has been a wonderful help for debugging and is WAY more useful than user descriptions of what they were doing. We can see what caused the fault, and after fixing the problem we can replay the input to verify that it is fixed. However, it only records input when this app has the focus, and users are informed that their input is being recorded.

    9. Re:Never assume... by AmiMoJo · · Score: 3, Insightful

      The developer needed some debug info, and maybe even figured it would be helpful for remote debugging of problems, so they threw in a log file. Probably meant to disable it in the release build, or maybe they were just incompetent and didn't realize what a problem it was.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    10. Re:Never assume... by dgatwood · · Score: 2

      For this type of product, storing that data might actually make sense to keep. The problem is not that the data is being stored, but rather that it is being stored on disk where anybody with the right access privileges can trivially get to it.

      Debug logging is the perfect use case for an in-memory ring buffer. That approach ensures that the data is relatively hard to access (i.e. that it can be accessed only by your debugging tool that knows the magic handshake or whatever). It also ensures that the data is transient enough that using that data maliciously would be fairly impractical.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    11. Re:Never assume... by HiThere · · Score: 2

      Malice seems a reasonable assumption, but I think at this point the verdict has to be "not proven". It is, however, a good reason to avoid HP in either case.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
  2. My PC is safe it seems by hcs_$reboot · · Score: 4, Funny

    # ls -l C:\windows\system32\mictray64.exe
    ls: cannot access 'C:windowssystem32mictray64.exe': No such file or directory

    --
    Slashdot, fix the reply notifications... You won't get away with it...
    1. Re:My PC is safe it seems by AnthonywC · · Score: 3, Funny

      You can running windows; you are not safe.

  3. Not a problem! by Joce640k · · Score: 3, Insightful

    Anything capable of reading this is capable of installing its own key logger, so.... non-story.

    Still, it shows the stupidity of some programmers. I get you need to debug things but have an on/off setting and disable it by default.

    --
    No sig today...
    1. Re:Not a problem! by AmiMoJo · · Score: 4, Informative

      Anything capable of reading this is capable of installing its own key logger, so.... non-story.

      No, that's not been true since Vista.

      Anything wanting to start with Windows and log keystrokes will need to be installed with administrator level permissions, which means a UAC prompt to the user (screen goes dark, everything except the warning message vanishes, if configured the user's password is required).

      By pre-installing it HP have provided a handy way for non-privileged malware to perform keylogger functions, without the need for a privilege escalation exploit.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    2. Re:Not a problem! by ledow · · Score: 2

      Er... no.

      C:\users\public\MicTray.log

      Public has *read and write* permission for anybody in the CREATOR OWNER and INTERACTIVE groups. The latter includes any logged-in user account. So anyone can potentially read the keystrokes of the admin who sat on the machine before them ten years ago while setting up the machine, even if they don't have - and never have had - permission to even install software on a machine.

      That's not "non-story".

      Installing software that can read the keyboard even when not focused requires a bit more than that. And even a keylogger device on the hardware wouldn't capture HISTORICAL keylogs of the users before you plugged it in.

  4. I have one of these laptops (HP 430 G3). by waspleg · · Score: 2

    I'm at work right now typing on it. It doesn't have this executable, it doesn't have the Conextant audio driver either.

    This does make me curious, though, since I recently tested some newer HP laptops/convertibles which had a noticeable cpu eating process called Flow which is also tied to the Conextant audio driver.

    We gave them back so I can't check them but it's an interesting coincidence ...

  5. Oh but they do. by waspleg · · Score: 2

    They call it "telemetry" these days, because it sounds better than "spying" and "data exfiltration (theft)".

    Maybe we should be trying to find the EULA for the audio driver? I bet it says they can do whatever the fuck they want =)

    But is "they" Conexant or HP or Microsoft or everyone?

  6. Intent by OhSoLaMeow · · Score: 4, Funny

    "Although we did not find clear evidence that HPs intended to violate laws governing the handling of the keylogged information, there is evidence that they were extremely creless in their handling of very sensitive information."

    -- James Comey

    --
    They can take my LifeAlert pendant when they pry it from my cold dead fingers.
  7. Kid heartbroken by surveillance. by dweller_below · · Score: 4, Insightful
    Recently we had a career fair for high school kids. Everybody was there. The kids loved it.

    For one of our displays, we displayed the traffic of a wireless network using a network visualization tool: https://www.youtube.com/watch?... When the kids connected to the wifi, they could see their traffic. They loved doing different things and seeing what happened.

    Somebody had surreptitiously placed a surveillance tracker on a kid's phone. Every thing he did caused a burst of traffic to a remote IP. When he scrolled a screen there was a burst of traffic to that IP, When he typed a character there was a burst of traffic to that IP.. He was absolutely heartbroken when he realized what was going on. His wonderful toy instantly became a treacherous enemy. His friends all took a step back and stared at him like he had become contagious.

    I didn't know how to make it better. The best I could say was: "If he is being monitored by a government, they didn't really care what he was doing." Nobody seemed reassured..

    1. Re:Kid heartbroken by surveillance. by dweller_below · · Score: 2

      The best I could say was: "If he is being monitored by a government, they didn't really care what he was doing." Nobody seemed reassured..

      This, by the way, was a mistake to say. If someone cared enough to break the law to monitor him, then that person was probably a serious threat to him.

      I realized my mistake later. I was babbling on and on about types of RAT (Remote Access Tools) and the rise of the surveillance state. Eventually I stuttered to a stop when I saw the intense look of horror and betrayal on the kids face. You could not have hurt him more by stabbing him in the back with a knife. No amount of glib "Et tu Brute?" was going to make it better. His world had just become a dark, treacherous place. Somebody that he trusted, did not trust him. And, by placing the tracker on him in secret, they demonstrated that they were not worthy of trust.

      I still have no idea what I could have said to restore the possibility of love and trust to that kid.

  8. Re:What Is Being Done About This?? by Green+Salad · · Score: 2

    I'm doing something about it. I made a bunch of snarky comments at lunch and online.