Built-in Keylogger Discovered On Several HP Laptop Models
Your HP laptop may be silently recording everything you are typing on your keyboard.
While examining Windows Active Domain infrastructures, security researchers from the Switzerland-based security firm Modzero have discovered a built-in keylogger in an HP audio driver that is spying on all your keystrokes.
Keylogger is a program that records every keystroke by monitoring keys you have pressed on your keyboard. Usually, malware and trojans use this ability to steal your account information, credit card numbers, passwords, and other private data.
HP computers come with Audio Chips developed by Conexant, a manufacturer of integrated circuits, who also develops drivers for its audio chips. Named Conexant High-Definition (HD) Audio Driver, the driver helps the software to communicate with the hardware. The keylogger feature was discovered in the Conexant HD Audio Driver Package version 1.0.0.46 and earlier. One of the files of this audio driver is MicTray64.exe found in C:\windows\system32\mictray64.exe. This file starts via Scheduled Task, every time the user logs into the computer.
Depending upon the computer model, HP also embeds some code inside the audio drivers delivered by Conexant that controls the special keys, such as microphone mute/unmute keys/hotkeys.
According to researchers, the code written by HP was poorly implemented, that not just captures the special keys, but also records every single key-press and stores them in a human-readable file.
This log file, which is located at the public folder C:\Users\Public\MicTray.log, contains sensitive information like users’ login data and passwords, which is accessible to any user or 3rd party applications installed on the computer.
Malware installed on or even a person with physical access to a PC can copy the log file and have access to all your keystrokes, extracting your sensitive data such as bank details, passwords, chat logs, and source code.
“So what’s the point of a keylogger in an audio driver? Does HP deliver pre-installed spyware? Is HP itself a victim of a backdoored software that third-party vendors have developed on behalf of HP?” Modzero researchers question HP.
In 2015, this keylogging feature was introduced as a new diagnostic feature with an update version 1.0.0.46 for HP audio drivers and existed on nearly 30 different HP Windows PC models shipped since then.
Affected models include:
HP EliteBook 820 G3 Notebook PC
HP EliteBook 828 G3 Notebook PC
HP EliteBook 840 G3 Notebook PC
HP EliteBook 848 G3 Notebook PC
HP EliteBook 850 G3 Notebook PC
HP ProBook 640 G2 Notebook PC
HP ProBook 650 G2 Notebook PC
HP ProBook 645 G2 Notebook PC
HP ProBook 655 G2 Notebook PC
HP ProBook 450 G3 Notebook PC
HP ProBook 430 G3 Notebook PC
HP ProBook 440 G3 Notebook PC
HP ProBook 446 G3 Notebook PC
HP ProBook 470 G3 Notebook PC
HP ProBook 455 G3 Notebook PC
HP EliteBook 725 G3 Notebook PC
HP EliteBook 745 G3 Notebook PC
HP EliteBook 755 G3 Notebook PC
HP EliteBook 1030 G1 Notebook PC
HP ZBook 15u G3 Mobile Workstation
HP Elite x2 1012 G1 Tablet
HP Elite x2 1012 G1 with Travel Keyboard
HP Elite x2 1012 G1 Advanced Keyboard
HP EliteBook Folio 1040 G3 Notebook PC
HP ZBook 17 G3 Mobile Workstation
HP ZBook 15 G3 Mobile Workstation
HP ZBook Studio G3 Mobile Workstation
HP EliteBook Folio G1 Notebook PC
How to Check if You are Affected and what you can do.
If any of these two following files exist in your system, then this keylogger is present on your PC:
C:\Windows\System32\MicTray64.exeC:\Windows\System32\MicTray.exe
If any of the above files exist, Modzero advises that you should either delete or rename the above-mentioned executable file in order to prevent the audio driver from collecting your keystrokes.
“Although the file is overwritten after each login, the content is likely to be easily monitored by running processes or forensic tools,” researchers warned. “If you regularly make incremental backups of your hard-drive – whether in the cloud or on an external hard-drive – a history of all keystrokes of the last few years could probably be found in your backups.”
Also, if you make regular backups of your hard drive that include the Public folder, the file in question may also exist there with your sensitive data in plain text for anyone to see.