Some HP laptops are apparently recording everything you type, including usernames and passwords, personal information according to Switzerland based cybersecurity firm, Modzero. If you thought that this flaw was masterminded by the hackers, then you are wrong?
The culprit in question here is the audio driver preinstalled on several HP laptops that contain a keylogger that records all of a user’s keystrokes and stores the information in a way that can be easily misused. The audio drivers were discovered in HP laptops packaged and distributed by the company since at least Christmas 2015.
The keylogger that was first discovered by Modzero in Conexant HD Audio Driver Package versions 220.127.116.11 and earlier, on April 28 was publicly disclosed on Thursday.
So, what is the cause of the problem? Apparently, there is a file called ‘MicTray64.exe’ that comes preinstalled within the audio driver on several models of HP laptops. Every time when a user logs into their computer, the executable starts and “monitors all keystrokes made by the user.” For instance, keystrokes for actions such as muting/unmuting the microphone is intercepted by the audio driver. However, this process unintentionally processes everything and then writes it to an unencrypted log file.
Even though the file is overwritten at start-up after each login, there are ways to retrieve past versions if, for instance, you have regular backups of your HP device. The more recent version (18.104.22.168) creates a log file of all the key presses at C:UsersPublicMicTray.log. If you find this log file existing in your C drive, then please have it deleted immediately, says the firm.
Further, the firm has recommended the HP users that if they find the program C:WindowsSystem32MicTray64.exe or C:WindowsSystem32MicTray.exe installed in their computers to have it deleted or rename the executable to stop further recording of the keystrokes. However, by doing this, may disable special key function but that’s a fair trade-off IMO.
Modzero believes that there “is no evidence that this keylogger has been intentionally implemented,” adding that “it is [obviously]a negligence of the developers.”
The potential exploit is present on most Windows 7 and Windows 10 systems, according to Modzero. There are 28 HP laptops that have been confirmed to use the Conexant HD audio driver package that contains the MicTray64.exe file, and other manufacturers that use the same audio driver may also be at risk. Click here to check the list of vulnerable devices and technical details about the exploit from HP.
Since HP Enterprise refused to take any responsibility, nor did Conexant respond to the inquiries made by Modzero, the cybersecurity firm decided to go ahead and disclose the findings to the public in accordance with their Responsible Disclosure process.
After the disclosure, HP has started rolling out patches to remove the keylogger, which will also delete the log file containing the keystrokes, reports ZDNet.
In a brief statement, a spokesperson for HP said: “HP is committed to the security and privacy of its customers and we are aware of the keylogger issue on select HP PCs. HP has no access to customer data as a result of this issue.”
Mike Nash, Vice-President of HP said to ZDNet on a call after-hours on Thursday that a fix is available on Windows Update and HP.com for newer 2016 and later affected models, with 2015 models receiving patches Friday. The keylogger-type feature was added to the driver’s production code by mistake and was never meant to be rolled out to end-user devices, added Nash. He also confirmed that few consumer models that come with Conexant drivers were affected.