This site may earn affiliate commissions from the links on this page. Terms of use.

449809-generic-security-hacking-encryption

Over the past few years, nosotros've seen some high contour security problems with laptops from Lenovo, Samsung, and Dell. HP, upwards until now, had managed to escape any serious issues. Co-ordinate to the Swiss infosec company ModZero, that's changed, courtesy of a keylogger embedded (probably accidentally) into certain sound drivers used on HP laptops.

HP uses Conexant audio chips for some of its laptops, which ways information technology also ships Conexant's included software and drivers. Here's how ModZero describes the problem:

Conexant as well develops drivers for its audio chips, so that the operating system is able to communicate with the hardware. Apparently, at that place are some parts for the command of the audio hardware, which are very specific and depend on the calculator model – for example special keys for turning on or off a microphone or controlling the recording LED on the computer. In this code, which seems to be tailored to HP computers, there is a part that intercepts and processes all keyboard input.

Actually, the purpose of the software is to recognize whether a special key has been pressed or released. Instead, even so, the developer has introduced a number of diagnostic and debugging features to ensure that all keystrokes are either circulate through a debugging interface or written to a log file in a public directory on the hard-bulldoze.

This blazon of debugging turns the audio driver effectively into a keylogging spyware. On the basis of meta-information of the files, this keylogger has already existed on HP computers since at least Christmas 2015.

The keylogger is created by flaws in Conexant's MicTray64.exe awarding. Information technology's designed to monitor keystrokes and respond to user input, probably to answer to commands to mute or unmute the microphone, or begin capturing data inside an awarding. Unfortunately, it as well writes out all keystroke information into a publicly attainable file located at C:\Users\Public\MicTray.log. In the event that this log file does not be, the keystrokes are passed to the OutputDebugString API, assuasive any process to capture this information without being identified as a malicious program.

Conexant

Conexant doesn't list "Surprise keylogger" as any of its features.

This behavior appears to have been introduced with version 1.0.0.46 of MicTray64. ModZero has also provided pseudo-code showing how the MicTray64 application captures information and outputs it to a log file or allows information technology to be captured, that information is available here.

Any application running in a user session that tin monitor debug letters could exist modified to log keystroke information based on the way MicTray64 is implemented. There's no explanation for why Conexant implemented this role in such fashion and the ModZero squad doesn't call back it'southward intentional. Just there's also no way to fix the upshot at this signal in time, apart from possibly uninstalling all sound software from the arrangement. Deleting the MicTray64.exe application would seem to work, but this could result in a not-functional microphone.

For at present, ModZero recommends that users check for and delete or rename the MicTray64 and MicTray applications (located at C:\Windows\System32\). If you aren't comfortable accessing protected file space within Windows, ask someone for help — mucking around in the System32 directory without knowing what y'all're doing can destroy your Os installation.

HP, to date, has not released any information on how they intend to resolve this issue or fabricated any public comment.