HP is selling more than two dozen models of laptops and tablets that covertly monitor every keystroke a user makes, security researchers have warned. The devices then store the key presses in an unencrypted file on the hard drive.
The keylogger responsible is encrypted in a device driver manufactured by Conexant, a manufacturer of audio chips that are included in the vulnerable HP devices. That’s according to an advisory published by modzero, a Switzerland-based security consulting firm. One of the device driver components is MicTray64.exe, an executable file which allows the driver to respond when the user presses special keys. Now it turns out that the file sends all keystrokes to a debugging interface or writes them to a log file available on the computer’s C drive.
"This type of debugging turns the audio driver effectively into keylogging spyware," modzero researchers wrote. "On the basis of meta-information of the files, this keylogger has already existed on HP computers since at least Christmas 2015."
The log file is situated at C:-Users-Public-MicTray.log which is overwritten after every reboot. But there are several ways that the content could survive for weeks, or even indefinitely. Forensic tools make restoring deleted or overwritten files easy. And in the event the compute is backed up regularly, it is easy that the backups would contain a comprehensive history of everything that was typed on the keyboard. This includes passwords, e-mails, and contacts. Modzero researchers said they issued the public advisory after both HP and Conexant failed to respond to messages privately reporting the findings.
According to the technical details, the modzero researchers have stated:
Conexant's MicTray64.exe is installed with the Conexant audio driver package and registered as a Microsoft Scheduled Task to run after each user login. The program monitors all keystrokes made by the user to capture and react to functions such as microphone mute/unmute keys/hotkeys. Monitoring of keystrokes is added by implementing a low-level keyboard input hook [1] function that is installed by calling SetwindowsHookEx().
In addition to the handling of hotkey/function key strokes, all key-scancode information is written into a logfile in a world-readable path (C:-Users-Public-MicTray.log). If the logfile does not exist or the setting is not yet available in Windows registry, all keystrokes are passed to the OutputDebugString API, which enables any process in the current user-context to capture keystrokes without exposing malicious behavior. Any framework and process with access to the MapViewOfFile API should be able to silently capture sensitive data by capturing the user's keystrokes. In version 10.0.0.31, only OutputDebugString was used to forward key scancodes and nothing was written to files.
The affected HP models include HP Elitebooks, HP Probook, HP ZBooks, and HP Elites. Users can check to see if their HP computer is at risk by searching for the files C:-Windows-System32-MicTray.exe or C:-Windows-System32-MicTray64.exe. Modzero said PCs sold by other manufacturers that contain Conexant drivers may be similarly at risk. Neither HP nor Conexant responded to requests to comment for this post.
