keylogger found in preinstalled audio driver on HP laptops

[zMeul]

source: https://www.modzero.ch/advisories/MZ-17-01-Conexant-Keylogger.txt

via: https://www.bleepingcomputer.com/news/security/keylogger-found-in-audio-driver-of-hp-laptops/

 

these motha' fuckers don't seem to be willing and stop this bullcrap

1st it was Lenovo, then some shit leaked from Dell .. now HP 

 

Quote

The audio driver installed on some HP laptops includes a feature that could best be described as a keylogger, which records all the user's keystrokes and saves the information to a local file, accessible to anyone or any third-party software or malware that knows where to look.

Swiss cyber-security firm modzero discovered the keylogger on April 28 and made its findings public today.

 

According to researchers, the keylogger feature was discovered in the Conexant HD Audio Driver Package version 1.0.0.46 and earlier.

This is an audio driver that is preinstalled on HP laptops. One of the files of this audio driver is MicTray64.exe (C:\windows\system32\mictray64.exe).

This file is registered to start via a Scheduled Task every time the user logs into his computer. According to modzero researchers, the file "monitors all keystrokes made by the user to capture and react to functions such as microphone mute/unmute keys/hotkeys."

This behavior, by itself, is not a problem, as many other apps work this way. The problem is that this file writes all keystrokes to a local file at:

C:\users\public\MicTray.log

If the file doesn't exist or a registry key containing this file's path does not exist or was corrupted, the audio driver will pass all keystrokes to a local API, named the OutputDebugString API.

 

The danger is that malicious software installed on the computer, or a person with physical access to the computer, can copy the log file and have access to historical keystroke data, from where he can extract passwords, chat logs, visited URLs, source code, or any other sensitive data.

 

Furthermore, the OutputDebugString API provides a covert channel for malware to record real-time keystrokes without using native Windows functions, usually under the watchful eye of antivirus software.

 

laptops that could be affected by this security flaw:

• HP EliteBook 820 G3 Notebook PC
• HP EliteBook 828 G3 Notebook PC
• HP EliteBook 840 G3 Notebook PC
• HP EliteBook 848 G3 Notebook PC
• HP EliteBook 850 G3 Notebook PC
• HP ProBook 640 G2 Notebook PC
• HP ProBook 650 G2 Notebook PC
• HP ProBook 645 G2 Notebook PC
• HP ProBook 655 G2 Notebook PC
• HP ProBook 450 G3 Notebook PC
• HP ProBook 430 G3 Notebook PC
• HP ProBook 440 G3 Notebook PC
• HP ProBook 446 G3 Notebook PC
• HP ProBook 470 G3 Notebook PC
• HP ProBook 455 G3 Notebook PC
• HP EliteBook 725 G3 Notebook PC
• HP EliteBook 745 G3 Notebook PC
• HP EliteBook 755 G3 Notebook PC
• HP EliteBook 1030 G1 Notebook PC
• HP ZBook 15u G3 Mobile Workstation
• HP Elite x2 1012 G1 Tablet
• HP Elite x2 1012 G1 with Travel Keyboard
• HP Elite x2 1012 G1 Advanced Keyboard
• HP EliteBook Folio 1040 G3 Notebook PC
• HP ZBook 17 G3 Mobile Workstation
• HP ZBook 15 G3 Mobile Workstation
• HP ZBook Studio G3 Mobile Workstation
• HP EliteBook Folio G1 Notebook PC

if you are affected, stop the process MicTray64.exe and delete that piece of trash from your system

 

---

 

both Conexant and HP were notified and neither replied to the inquiry

at this point no one seems to know or point out if this package is HP's own doing or is it Conexant's own release

 

---

 

update May 13^th: http://www.zdnet.com/article/keylogger-found-on-several-hp-laptops/

 

HP issued a fix that removes the keylogger

Quote

HP vice-president Mike Nash said on a call after-hours on Thursday that a fix is available on Windows Update and HP.com for newer 2016 and later affected models, with 2015 models receiving patches Friday. He added that the keylogger-type feature was mistakenly added to the driver's production code and was never meant to be rolled out to end-user devices.

Nash didn't how many models or customers were affected, but did confirm that some consumer laptops were affected.

He also confirmed that a handful of consumer models that come with Conexant drivers are affected.

Edited May 12, 2017 by zMeul

[DexterSmythe]

What the hell HP!

[Princess Luna]

Makes me glad that the notebooks I own are Acer and Asus.

[zMeul]

1 minute ago, Princess Cadence said:

Makes me glad that the notebooks I own are Acer and Asus.

just check if you have Conexant audio  then and only then be happy

[Misanthrope]

Here's my solution (not really but it's a nice aside anyways) We need a laptop form factor to build on. Even if it is kinda chunky I'll take that over pre-built laptops any day.

[79wjd]

Serves you right if you buy an HP pc.

[Kherm]

The affected laptops aren't even their cheap-ass consumer PCs, it's their enterprise range devices. What the fuck?

Maybe it's Conexant's fault? 

[Princess Luna]

Just now, zMeul said:

just check if you have Conexant audio 

Just did and I'm safe pheew... also people tape the webcam to avoid some creepy guy watching them, I go and delete everything driver related so it is unusable rather

 

Only time I used a webcam was for my boyfriend and that made me awfully uncomfortable to be honest

[Jito463]

Definitely makes a case for doing a clean format and reload when you buy a laptop, something I've always done just to rid myself of the bloatware that comes preloaded (even though I've only ever owned two laptops).

[zMeul]

4 minutes ago, Kherm said:

The affected laptops aren't even their cheap-ass consumer PCs, it's their enterprise range devices. What the fuck?

Maybe it's Conexant's fault? 

 

5 minutes ago, djdwosk97 said:

Serves you right if you buy an HP.

I'd blame them both since HP didn't check

and it sounds like the exe is part of the Conexant audio driver and not something HP might've cooked - and yet again .. we don't know for sure

 

ps: it looks like gross negligence / shit programming logic rather than malicious intent

[Jito463]

1 minute ago, Princess Cadence said:

Just did and I'm safe pheew... also people tape the webcam to avoid some creepy guy watching them, I go and delete everything driver related so it is unusable rather

 

Only time I used a webcam was for my boyfriend and that made me awfully uncomfortable to be honest

I like to remove the border from around the LCD, and physically unplug it.

[zMeul]

1 minute ago, Princess Cadence said:

Just did and I'm safe pheew... also people tape the webcam to avoid some creepy guy watching them, I go and delete everything driver related so it is unusable rather

 

Only time I used a webcam was for my boyfriend and that made me awfully uncomfortable to be honest

most cameras are detected by Windows without a need for 3rd party drivers 

[Urishima]

Now you know why companies apply their own images to their hardware.

[TheGhzGuy]

Aaaaaand time to inform the whole school about this. Yay.

[NumLock21]

I have a hp netbook, can't remember what the audio codec is. Anyway it came with win8 and I'm currently running win10, with a clean install. Audio drivers came from Microsoft cause HP stopped providing drivers since 8.1

[Humbug]

9 minutes ago, Jito463 said:

Definitely makes a case for doing a clean format and reload when you buy a laptop, something I've always done just to rid myself of the bloatware that comes preloaded (even though I've only ever owned two laptops).

Ya most laptops ship in a really terrible state.. The amount of unnecessary junk that pops up at you on bootup.

[zMeul]

1 minute ago, valdyrgramr said:

Thinkpad master race.  

you mean that company that installed Blowfish on their systems 

[Sakkura]

Is this even legal. I'd actually like to own an HP laptop just so I would have standing for an official complaint about it.

[79wjd]

2 minutes ago, NumLock21 said:

netbook

Oh, so you're used to getting screwed with garbage.

[captain cactus]

Sue them into the ground.

[zMeul]

2 minutes ago, valdyrgramr said:

I never said Lenovo.  IBM baby!

sorry mate, ThinkPads are Lenovo machines  and since 2005 they bought the brand name

[zMeul]

Just now, valdyrgramr said:

They became Lenovos, and not all of them had blowfish.  That was selective models.  IBM created the ThinkPad, but sold off their home computer and smaller servers to Lenovo

nope, they always were Lenovos - IBM only did the design up until 2005

[NumLock21]

4 minutes ago, djdwosk97 said:

Oh, so you're used to getting screwed with garbage.

Got screwed twice.

 

[zMeul]

2 minutes ago, valdyrgramr said:

Re-read my comment.  Lenovo "bought" them.  

re-read my comment

ThinkPads were always Lenovo, IBM only did the design

[LAwLz]

While this is really shitty, I think people are aiming their anger at the wrong target.

HP has not done anything wrong here. They simply installed the driver needed for the hardware to work. The driver is written by a third party company. The way the program works is bad, but like the article says it is not too uncommon (key strokes needs to be monitored if you want things like push-to-talk).

 

Chances are this is a debugging thing that was forgotten. It is super bad and things like this really should not happen, but I will say it was because of stupidity rather than maliciousness.

 

Edit:

Phew... I don't have it on my laptop. Looks like either my company or I uninstalled it.

I do have the log file though, but it's empty.