Slashdot Mirror

← Back to Stories (view on slashdot.org)

HP Laptops Found To Have Hidden Keylogger (bbc.com)

Posted by msmash on from the you-have-been-warned dept.

Hidden software that can record every letter typed on a computer keyboard has been discovered pre-installed on hundreds of HP laptop models, BBC reported on Monday citing the findings of a security researcher. From the report: Security researcher Michael Myng found the keylogging code in software drivers preinstalled on HP laptops to make the keyboard work. HP said more than 460 models of laptop were affected by the "potential security vulnerability." It has issued a software patch for its customers to remove the keylogger. The issue affects laptops in the EliteBook, ProBook, Pavilion and Envy ranges, among others. HP has issued a full list of affected devices, dating back to 2012. Mr Myng discovered the keylogger while inspecting Synaptics Touchpad software, to figure out how to control the keyboard backlight on an HP laptop. He said the keylogger was disabled by default, but an attacker with access to the computer could have enabled it to record what a user was typing. According to HP, it was originally built into the Synaptics software to help debug errors. It acknowledged that could lead to "loss of confidentiality" but it said neither Synaptics nor HP had access to customer data as a result of the flaw.

52 of 116 comments (clear)

  1. See, they did not leak any data. by 140Mandak262Jamuna · · Score: 5, Insightful

    but it said neither Synaptics nor HP had access to customer data as a result of the flaw.

    It is like Yale announcing that its locks, made since 1929, could be opened by any pentalobulous screw driver, but neither Yale, nor the screwdriver maker, got any share of the loot taken by any burglar taking advantage of the flaw.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:See, they did not leak any data. by rmdingler · · Score: 4, Informative

      In case anyone else is curious: It's Pentalobular though, not to place too fine a penta-pedant on it.

      --
      Happiness in intelligent people is the rarest thing I know.

      Ernest Hemingway

    2. Re:See, they did not leak any data. by Hal_Porter · · Score: 3, Funny

      Pentalobular + fabulous = pentalobulous

      Usage :

      "How are we going to open the lock on our cell?"

      "Don't worry I've got my penalobulous screwdriver?"

      --
      echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
    3. Re:See, they did not leak any data. by toadlife · · Score: 1

      Sorry to hear about your bad luck.

      We have about 300 HP ProBooks (6460/6470/G1/G2) in the hands of users here at work. They have had a very low failure rate.

      --
      I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
    4. Re:See, they did not leak any data. by MerlTurkin · · Score: 1

      Agreed although I have a 4-5 year old HP that I replaced the HD on several times and run Linux mint on it. Runs fine. I go with ASUS now though for new laptops.

    5. Re:See, they did not leak any data. by Swave+An+deBwoner · · Score: 1

      He said his ACER laptops are still working but his advice is to buy ASUS.

      Maybe he has a keyboard problem?

  2. Airtight hatchway, etc by Anonymous Coward · · Score: 5, Insightful

    How do you end up with an attacker that can write to your registry (and also read your log files) but can't just install their own keylogger?

    1. Re:Airtight hatchway, etc by TWX · · Score: 5, Insightful

      An attacker's own keylogger might well be recognized as malicious and blocked from communicating with the network stack or otherwise blocked by not appearing in a whitelist in a corporate environment. The trusted device driver for the keyboard would probably be whitelisted and since vendor software is usually allowed to talk to the Internet so that it can check for updates, allowed to communicate. With these in-mind, the attacker's own payload to activate the keylogger might make so few changes as to not be recognized for what it is by such security software. Also, if someone were to hack HP or Synaptics' systems they could potentially enable it subtly where it might not be obvious that it has been enabled.

      Additionally those traveling internationally with these laptops where the computer may be 'inspected' by a foreign government could find such a logger enabled and again, the security software on the computer might not recognize that it has happened while it might recognize third-party software. If that government would have a second opportunity to inspect the computer then they could retrieve the contents of the log.

      --
      Do not look into laser with remaining eye.
    2. Re:Airtight hatchway, etc by philipmather · · Score: 1

      It makes life considerably easier when the malicious software is considered part of the standard code base, instead of having to connect storage or download something external to the machine you simply have to run a command or two to activate the existing code. Much faster, much easier.

      File integrity or heuristic monitoring software like antivirus software will likely ignore pre-installed malicious code.

      Network level scanning for downloads of likely keyloggers will also not be triggered.

      --
      Regards, Phil
    3. Re:Airtight hatchway, etc by chispito · · Score: 1

      An attacker's own keylogger might well be recognized as malicious and blocked from communicating with the network stack...

      What led you to believe the built-in tool sends the keystrokes over the network? The attacker is still on the hook for exfiltration, so the GP is correct: at that point he has already won.

      --
      The Daddy casts sleep on the Baby. The Baby resists!
    4. Re:Airtight hatchway, etc by everlearning · · Score: 1

      This sounds like a James Bond Story.. There is an assumption here that foreign governments have all the "admin" passwords for all company owned laptops in the world. OK, Lets assume this is true, Lets say you have old driver and you did not upgrade to recent version, let's say they have your particular admin password and they took your laptop long enough to modify unpublished registry and enable the particular issue where information is embedded with other ETL messages which are binary encoded. These messages need to be recorded to a file or sent over internet. Sending over internet requires special program which would be detected and blocked. The other choice is to save to an ETL file : In such a James Bond world, I would like to think security packages would be smart enough to locate windows ETW process that always run in the background and create ETL logfile that keeps growing over time. Unless you are debugging a windows issue, there is no reason to run a ETW process or to create ETL file. I would guess it is not difficult for security packages to detect this and block them. Admin password gives such a broad control that I still think there are easier ways to do harm and hide your actions. If you have a security weakness that can only be exploited with Admin password, you should worry first about how to protect your admin password before anything else

  3. What I miss. by orlanz · · Score: 5, Insightful

    This is one of the reasons I really liked the preprocessor in C. I miss #IF DEBUG / #ENDIF.

    1. Re:What I miss. by KiloByte · · Score: 5, Interesting

      I call bullshit on this "mistake" not being intentional. Their coding practices might be bad for other reasons, but if companies add backdoors left and right, at this point it's reasonable to assume malice rather than stupidity.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    2. Re:What I miss. by 140Mandak262Jamuna · · Score: 2

      Sufficiently advanced stupidity is indistinguishable from malice. (mod on Arthur C Clarke.)

      --
      sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  4. Access to the machine = install keylogger by Anonymous Coward · · Score: 3, Insightful

    Wouldn't someone able to access the device and enable the keylogger be instead able to, you know, install a keylogger ?

    Hype.

    1. Re:Access to the machine = install keylogger by 110010001000 · · Score: 2, Funny

      HP just included it out of the box so hackers don't even have to do that. Great job, HP.

    2. Re:Access to the machine = install keylogger by Luthair · · Score: 1

      My thought also. I guess maybe its less suspicious if its some hp/synaptic signed code?

  5. Thanks to Intel ME by ReneR · · Score: 2, Insightful

    Each and every recent Intel Core-i with ME can have a very hidden key logger running in the ME the whole day, and even sending them out on the NIC. Say NO to hidden "security" backdoor processors, and "military grade" *lol* trust zones, ....

  6. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  7. The NSA loses another preferred partner tool by sasparillascott · · Score: 5, Insightful

    Just like the things we saw with the networking folks, another vendor says oops look at this surveillance tool we just happened to have left in our production stack we've been putting on all our machines for years. Time for someone to look at Dell and see if they've made the same "mistake".

    1. Re: The NSA loses another preferred partner tool by Zero__Kelvin · · Score: 4, Interesting

      Every vendor that ships Windows 10 ships their product with a surveillance tool. At least this one can be and is disabled.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    2. Re:The NSA loses another preferred partner tool by Anonymous Coward · · Score: 1

      You're clearly never worked at a large software company. Stuff like this is standard. A respected financial company used a backdoor into their software to auto-install updates to get around having to deal with customer IT departments sitting on their updates before installing them. Instead of having to wait for an IT department to approve the SW changes, the company would push them out without telling anyone. Though at least the updates were extensively tested before hand.

      Well, this was before the practice was wide spread. Now most popular software handles updates like this, installing an admin component along with the standard software. Chrome could be keylogging your computer. It has a 24x7 running update service.

    3. Re:The NSA loses another preferred partner tool by Trax3001BBS · · Score: 1

      Just like the things we saw with the networking folks, another vendor says oops look at this surveillance tool we just happened to have left in our production stack we've been putting on all our machines for years. Time for someone to look at Dell and see if they've made the same "mistake".

      NSA to HP: That backdoor has been compromised we need another or you know what will happen, no more government contracts.

      HP to rest: Oh look what was found, well it's easy to explain; nothing to see here.

    4. Re: The NSA loses another preferred partner tool by Zero__Kelvin · · Score: 1

      I also said that the Windows 10 malware can't be disabled. These days the ME *can* be.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  8. Re:repost? by KiloByte · · Score: 4, Informative

    isnt this a repost from May

    Nope, this is a second keylogger. The one from May was in audio driver, this one is in the keyboard driver. Mentioned in the article -- have you read it before responding?

    --
    The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
  9. Re:repost? by Anonymous Coward · · Score: 2, Funny

    Perhaps it's in one of HP's libraries?

    #include "stdkeylogger.h"

  10. Which driver versions included the 'flaw'? by Palmateer · · Score: 3, Interesting

    So I own two of the laptops listed. They both originally came with Win7. I've rebuilt them clean with Win10 which installed a Synaptics driver on its own which is a waay newer version than what HP originally shipped or any updates they previously provided for Win7. Does anyone know if there's a test to see if the version you have is affected? Now HPs offering a softpaq with a new driver. If I install that one is Windows Update going to clobber it when the next one comes out? Will the Windows Update versions include the 'fix'?

    1. Re:Which driver versions included the 'flaw'? by Luckyo · · Score: 3, Insightful

      You already installed win10, which comes with built in microsoft keylogger, among other monitoring implements that call home. Your worry is like worrying about getting wet from crying after your ship sank and you're floating in the ocean.

    2. Re:Which driver versions included the 'flaw'? by Trax3001BBS · · Score: 1

      You already installed win10, which comes with built in microsoft keylogger, among other monitoring implements that call home. Your worry is like worrying about getting wet from crying after your ship sank and you're floating in the ocean.

      As far as I can tell if one disables Windows Cortana (Autoruns) updates are stopped and problem solved. It could be something else involved but Process Explorer seems to agree.

    3. Re:Which driver versions included the 'flaw'? by Luckyo · · Score: 1

      Oh you naive summer child. Cortana is just a small part of the "log everything user does and call home with this information" package, specifically the part that always listens to the user.

      Tracking key presses is another part of internal spyware systems in win10, as is tracking of applications used and usage times and so on.

  11. Same "accident" twice? by Holi · · Score: 4, Informative

    Sorry but how the hell do you allow this to happen twice?

    http://www.zdnet.com/article/k...

    Maybe it's time for law enforcement to get involved.

    --
    Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
    1. Re:Same "accident" twice? by MTEK · · Score: 1

      Maybe, but law enforcement should definitely get involved if a teleporter vendor were to follow your sig's logic. You're invoking kill() before copy(). Might as well beam the poor bastard to /dev/null.

    2. Re:Same "accident" twice? by Legion · · Score: 1

      You assume:
      A) it was an accident in either instance, and
      B) law enforcement (NSA) wasn't directly involved in both.

  12. "Attacker w/ access to the computer" Then so what? by PeterM+from+Berkeley · · Score: 1, Insightful

    So an attacker with access to the computer could turn on HP's built-in keylogger.

    Couldn't that same attacker with access to the computer install and turn on his own keylogger, which is probably to his preference because it works with the rest of his toolkit seamlessly on any model of computer instead of just on HPs?

    So, what's the impact exactly?

    This reminds me of promiscuous mode on ethernet interfaces. Debugging tool with security implications that is turned off by default. Useful. Not a big deal. Useful in fact for spotting hackers, because they might turn it on and not hide it. You notice your interface is in promiscuous mode? You know something is up.

    I just can't get worked up about this. It's like they just left some debugging tools around, and yes, nearly any debugging tool can be turned to evil uses, but so can the OS itself if it's been compromised by "a local attacker".

  13. Isn't this old news? by normanjd · · Score: 2

    When the original keylogger problem was discovered a few months ago, HP said it was because someone left the debug "feature" for keylogging turned on by accident. So why is everyone surprised it exists, at least in the old versions?

    1. Re:Isn't this old news? by Desler · · Score: 3, Informative

      Because this is about a different driver having a keylogger. So, no, it’s not old news.

    2. Re:Isn't this old news? by normanjd · · Score: 1

      That's interesting... Implies any driver that uses the HP hotkeys could have the issues... Hmm... Thanks for the clarification....

    3. Re:Isn't this old news? by e432776 · · Score: 2

      The optimist in me wants to think that in response to the last keylogger (in the audio driver) HP did an audit and found this other "oops" in the Synaptics driver. Actually, that would be good spin. Unfortunately, I think systematic incompetence is more likely. Wonder if other drivers have this "feature" enabled, perhaps on machines from other vendors...

  14. Comment removed by account_deleted · · Score: 2

    Comment removed based on user account deletion

  15. Re:pwd helper by RavenLrD20k · · Score: 2

    Seems like you'd have trouble finding your way out of the ../paper/bag directory if you need to call HP support for help understanding the output of the pwd command. Maybe *NIX isn't for you.

  16. Add HP to my fucklist. (Joining Microsoft, AT& by Hallux-F-Sinister · · Score: 1

    According to HP, it was originally built into the Synaptics software to help debug errors.

    WHAT THE FUCK are you talking about you fucking liars?!? DEBUG ERRORS? You know, when you press "F," and "U" appears on screen? That kind of thing happen a LOT?

    That's like someone who makes WALLETS that are built with a secret wormhole in it that could be opened to a space above a box somewhere in their factory's basement, you know, to DEBUG the wallet. To make sure the wallet doesn't spontaneously have a different amount of money from what it SHOULD HAVE, for some reason, somehow?

    You know, something that can't happen, physically?

    Now, Sir, if you're wondering what government Agency could have Come up with such an Insane idea As this, or Fiddled with Basic Internal parts of a computer, or insist they install a Keystroke Goddamned logger, Boy, you should be. (Hint, hint.)

    Yeah, fuck HP.

    --
    Our reign has gone on long enough. Indeed. Summon the meteors.
  17. Hidden Keylogger by backgroundpi1 · · Score: 1

    This is very alarming, whether HP or Synaptics did or did not leak any customer information. They should not be saving keystrokes without user permission. - http://www.backgroundpi.com/ team

  18. Re:"Attacker w/ access to the computer" Then so wh by Anonymous Coward · · Score: 1

    It means someone with access to the computer can start keylogging without:

    - having to download or install anything from the internet or local media, in cases of airgapped or usbport-glued-up machines
    - without any virus scanner or regular auditing software detecting any new exes or files installed on the machine
    - bypassing any kind of 'trusted exe only' hardened security rules

    I'm sorry your lack of imagination means you don't see what the impact of this is, or ways in which it differs to an attacker installing his own keylogger.

  19. A year too late. The election is over by raymorris · · Score: 2

    In case you missed it, the election was over a year ago. Slashdot even had stories about it.

    https://politics.slashdot.org/...

    https://politics.slashdot.org/...

    "Trump would _______ [whatever]" isn't helpful at this point; it only serves to get your blood pressure up.

    If you just can't get enough of presidential politics, you could start looking at who might be good in 2020, because that's the next election. Or seek counseling because the whole thing is bull, and not good to focus on 24/7/365. Taking a break for a couple years might be good.

    1. Re: A year too late. The election is over by sheph · · Score: 1

      If that's the only distinguishable difference you can see between Trump and Obama your color blind glasses are defective.

      --
      I don't believe in karma, I just call it like I see it.
    2. Re:A year too late. The election is over by Slashdot+Junky · · Score: 1

      2020 is when we'll vote again for president. Plenty of down ticket elections are coming up beforehand, and people need to get off their asses and then down to their respective voting precinct to help decide these. The down ticket contests matter so much more long-term as it is their winners that are in the pipeline for gaining more power down the road.

      --
      .
      Landfill Mining Co.
      Managing the (Un)natural Resources of Tomorrow
  20. More Debug Code in Production by EndlessNameless · · Score: 1

    This is only the billionth time that debug code has made it into a production release. It will continue to happen unless there are consequences.

    I think I'd like to see a modest fine from the government whenever debug code makes it into a production environment in a way that poses a risk to security or confidentiality.

    Not enough to really hurt a business. Just enough to encourage following SOPs so their projects are built correctly before getting shipped out to customers.

    --

    ---
    According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
  21. Well, cool. by roc97007 · · Score: 1

    HP pre-installs a keylogger so I don't have to click on pr0n popups to get one installed. Just another customer service from HP. Yay.

    --
    Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
  22. HP and Synaptics should get out of software by idontusenumbers · · Score: 1

    Both HP and Synaptics should get out of the software business. Even if you ignore this flaw; the touchpad drivers installed on HP computers are so awful, unresponsive, glitchy, buggy, and unusable, it's no wonder Microsoft is slamming the hammer down with Precision Touchpad drivers.

  23. Really? by JediJorgie · · Score: 1

    What a bunch of FUD...

    > an attacker with access to the computer could have enabled it to record what a user was typing

    An attacker with access to the computer could just install a keylogger. This is a non-issue.

  24. Re:BOMBING NYC by sheph · · Score: 1

    They don't usually prematurely detonate the bomb blowing themselves up but nobody else in a false flag operation. Not much of a distraction and highlights the fact that we need to be a little more careful about who we accept into our borders. But don't let anything as trivial as reason interfere with your blind Trump hatred.

    --
    I don't believe in karma, I just call it like I see it.
  25. They don't need to break your crypto by nehumanuscrede · · Score: 1

    if keyloggers are present on your system by default.

    By extension, it should be simple to include a built in hardware keylogger into the guts of any keyboard. Simply type in a key sequence to bring up the log file.

    I used to have a usb dongle that did this, don't see why it couldn't be wired directly into the keyboard itself. No way to find it without tearing apart the keyboard and knowing what to look for.