That fancy new HP EliteBook laptop you just bought? It may be silently recording every keystroke, according to Swiss infosec firm ModZero.
[EN] Keylogger in Hewlett-Packard Audio Driver – Blog post (https://t.co/x1aybAAnKC) and Security Advisory (https://t.co/6ObxOjd0df)
— modzero AG (@mod0) May 11, 2017
For what it’s worth, it doesn’t look like there’s malice here – just staggering incompetence.
According to ModZero’s blog post, an update to HP’s audio drivers released in 2015 introduced new diagnostic features. One of these is used to detect if a special key had been pressed or released. Except it seems this was poorly implemented, as the driver ultimately acted like a keylogger, capturing and procesing every single keypress.
A later update to the driver was even more troubling, as it introduced behavior that wrote every single keypress to a log file stored locally on the user’s system. This is found at C:\Users\Public\MicTray.log.
Fortunately, this logfile is wiped every time you logout of your system, but as ModZero points out, if you’ve got any kind of incremental backup system in place, you could effectively be creating a permanent record of everything you type, every day.
ModZero recommends that all users of HP computers “… should check whether the program C:\Windows\System32\MicTray64.exe or C:\Windows\System32\MicTray.exe is installed.” If so, it recommends the executable be deleted or renamed, in order to prevent it from logging keystrokes, although it notes that if you do this, certain special keys may no longer work.
It also recommends that users delete the MicTray log file, as it may contain sensitive information, like passwords and login credentials.
In the security advisory, the company published a list of computers known to be affected. These are as follows:
- HP EliteBook 820 G3 Notebook PC
- HP EliteBook 828 G3 Notebook PC
- HP EliteBook 840 G3 Notebook PC
- HP EliteBook 848 G3 Notebook PC
- HP EliteBook 850 G3 Notebook PC
- HP ProBook 640 G2 Notebook PC
- HP ProBook 650 G2 Notebook PC
- HP ProBook 645 G2 Notebook PC
- HP ProBook 655 G2 Notebook PC
- HP ProBook 450 G3 Notebook PC
- HP ProBook 430 G3 Notebook PC
- HP ProBook 440 G3 Notebook PC
- HP ProBook 446 G3 Notebook PC
- HP ProBook 470 G3 Notebook PC
- HP ProBook 455 G3 Notebook PC
- HP EliteBook 725 G3 Notebook PC
- HP EliteBook 745 G3 Notebook PC
- HP EliteBook 755 G3 Notebook PC
- HP EliteBook 1030 G1 Notebook PC
- HP ZBook 15u G3 Mobile Workstation
- HP Elite x2 1012 G1 Tablet
- HP Elite x2 1012 G1 with Travel Keyboard
- HP Elite x2 1012 G1 Advanced Keyboard
- HP EliteBook Folio 1040 G3 Notebook PC
- HP ZBook 17 G3 Mobile Workstation
- HP ZBook 15 G3 Mobile Workstation
- HP ZBook Studio G3 Mobile Workstation
- HP EliteBook Folio G1 Notebook PC
We’ve reached out to HP for more information. If we hear back from them, we’ll update this post.
Update: HP replied to our inquiry with the following comment: “HP is committed to the security of its customers and we are aware of an issue on select HP PCs. We have identified a fix and will make it available to our customers.”
Get the TNW newsletter
Get the most important tech news in your inbox each week.