Slashdot Mirror

← Back to Stories (view on slashdot.org)

HP Issues Fix For Keylogger Found On Several Laptop Models (zdnet.com)

Posted by msmash on from the fixing-things dept.

HP says it has a fix for a flaw that caused a number of its PC models to keep a log of each keystroke a customer was entering. The issue, caused by problematic code in an audio driver, affected PC models from 2015 and 2016. From a report: HP has since rolled out patches to remove the keylogger, which will also delete the log file containing the keystrokes. A spokesperson for HP said in a brief statement: "HP is committed to the security and privacy of its customers and we are aware of the keylogger issue on select HP PCs. HP has no access to customer data as a result of this issue." HP vice-president Mike Nash said on a call after-hours on Thursday that a fix is available on Windows Update and HP.com for newer 2016 and later affected models, with 2015 models receiving patches Friday. He added that the keylogger-type feature was mistakenly added to the driver's production code and was never meant to be rolled out to end-user devices. Nash didn't how many models or customers were affected, but did confirm that some consumer laptops were affected. He also confirmed that a handful of consumer models that come with Conexant drivers are affected.

10 of 72 comments (clear)

  1. Fine. by thegreatbob · · Score: 3

    A fix is all well and good, but an explanation would be a nice touch. I guess people just don't get pissed off about getting the shaft anymore.

    --
    There is no XUL, only WebExtensions...
    1. Re:Fine. by Megane · · Score: 5, Informative

      From what I saw yesterday, the "explanation" is:

      1: mediocre programmer guy wants to check the keystrokes that affect volume control, adds a keylogger to the code for debugging
      2: poor version control, or a total lack thereof, combined with lack of code review, allows "temporary" debugging keylogger code to become part of and remain enabled in main-line production code
      3: someone eventually discovers it and SHTF

      In other words, Hanlon's Razor.

      --
      #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
    2. Re:Fine. by anegg · · Score: 3, Insightful

      Words fail me. Whether this was incompetence or a poorly-kept secret, the implications are troublesome. A clear demonstration that even mainstream commercial software can't be trusted in some pretty fundamental ways. Yet we conduct more and more of our personal and professional lives on and through software-controlled systems. The explanation is that it was done accidentally, which implies that it is relatively easy to do and will not be detected by whatever quality assurance processes are in place.

    3. Re:Fine. by 110010001000 · · Score: 4, Insightful

      I'm pretty sure that RMS has been saying this for years. You cannot trust any closed source. You have no idea what is doing. You are trusting unknown people with your data.

    4. Re:Fine. by BK425 · · Score: 2

      Absolutely, and we have to stop reacting with words like "fix" "flaw" and "problematic". This was a serious privacy intrusion on a massive scale. Whether it was some guy up to late on a bad schedule set by his boss Dilbert really doesn't matter. HP published the stuff, Connexant wrote it, they should pay some kind of price.

    5. Re:Fine. by Solandri · · Score: 2

      Technically it wasn't done accidentally. It was done deliberately because the programmer was being lazy. The way you're supposed to do it is via

      #ifdef DEBUG
      insert debug code here
      #endif

      Then you can enable/disable all the debug code with a single #define DEBUG statement. But people being lazy, they stick the debug code straight in thinking they'll just remember to comment it out before they ship the end product. Except they forget. QA can't catch this form of laziness because short of reading all the code with a programmer's eye, there's no way to distinguish debug code from actual code. Which is why you're supposed to use #ifdef DEBUG in the first place - so automated QA can distinguish debug code from real code.

      The real fix here is probably for IDEs to have a macro which automatically inserts the #ifdef DEBUG and #endif statements with a single keystroke or button-press, to discourage programmers from being lazy.

  2. Re:Wipe it by Anonymous Coward · · Score: 3, Informative

    The driver containing the keylogger was distributed by Windows Update.. Unless you deactivated driver loading from Windows update, your wiped laptop is also affected.

  3. Re:Wipe it by omibus · · Score: 2

    Because it is a driver, and Microsoft writes as few of those as it can.

    --
    Bad User. No biscuit!
  4. Re:Wipe it by LordWabbit2 · · Score: 2
    Well I did mention links with some kind of proof - just saying "because" is not proof.
    So I googled that for you...
    https://support.hp.com/us-en/d...
    And if it's the TLDR thing then here is the relevant bit

    Many, including Hewlett-Packard, use the Windows Update tool to distribute their updates.

    --
    There are three kinds of falsehood: the first is a 'fib,' the second is a downright lie, and the third is statistics.
  5. Re:Patch in Question by athmanb · · Score: 2

    It's the "Conexant HD Audio Driver", downloadable from the HP driver website for your model.