Covert Keylogger sold with HP's Laptops..

[sman]

OMG..

https://arstechnica.com/security/2017/05/hp-laptops-covert-log-every-keystroke-researchers-warn/?utm_content=buffer20997&utm_medium=social&utm_source=facebook.com&utm_campaign=buffer

Quote

HP is selling more than two dozen models of laptops and tablets that covertly monitor every keystroke a user makes, security researchers warned Thursday. The devices then store the key presses in an unencrypted file on the hard drive.

The keylogger is included in a device driver developed by Conexant, a manufacturer of audio chips that are included in the vulnerable HP devices. That's according to an advisory published by modzero, a Switzerland-based security consulting firm. One of the device driver components is MicTray64.exe, an executable file that allows the driver to respond when a user presses special keys. It turns out that the file sends all keystrokes to a debugging interface or writes them to a log file available on the computer's C drive.

 

[exile360]

Wow, that's just brilliant.  So they built a keylogger for debugging purposes and really didn't realize that they'd basically created a typical piece of malware?  And since it's not encrypted, it could be accessed by anyone with read access to the folder where it's kept, which could be very bad news indeed.  At least it doesn't have the more advanced functionality of truly malicious keyloggers like screencapture and browser/website monitoring though, as that would be even worse (though this is already bad enough) since the keystrokes (i.e. passwords etc.) could then be associated with the sites they're used on.  Still, any account numbers, credit card numbers and PII would be easy pickings.

Scary stuff.

Thanks for posting this.  Hopefully HP deals with the issue swiftly and makes sure those files get deleted from their customers' drives as soon as possible (hopefully automatically as part of a patch pushed out to their systems).

[sman]

It's not about HP alone but also PC's of other makers which have Audio driver supplied by Conexant are at risk, too.

[Firefox]

HP rolled out patches weeks ago on this issue... its sort of old news...

http://www.zdnet.com/article/keylogger-found-on-several-hp-laptops/

 

[sman]

The arstechnica article is dated 12th, the same day as zdnet and HP's security bulletin and post here is on 19th.. but still shocking a fact to come across..

[sman]

First of all it's un-ethical and from a brand like 'HP' is the least expected, what with their R&D, Quality control.. How can this happen? They have a lot to explain, heads to roll.. A PRO disaster.. If sued, can they be able to ride that?..

[Firefox]

Well IMO, that argument should be made to HP.... we here at the Malwarebytes forum usually discuss Malware and such....

[sman]

Well, a general topic on industry happening is what it is about..

[sman]

Many industry happenings have taken centrestage like the Apple vs FBI with considerable interest.. Herein the HP topic with it's serious impact on industry standards, brand value hit and it's aftermath not likely to pass into eternity so soon. Maybe HP clients who are still unaware could benefit from this topic.. 

[sman]

An update on this in https://www.itnews.com.au/news/hp-pushes-out-second-keylogger-patch-461992

 

Quote

HP pushes out second keylogger patch

 

First patch only turned off snoopware functionality.

HP Inc has pushed out a fix to remove a keystroke logging feature in the audio driver software bundled with HP Inc notebooks that could leak sensitive private and confidential information.

Quote

An earlier patch issued by HP on May 14 simply turned off the keylogging feature rather than removing it, ModZero said.

ModZero researcher Thorsten Schröder said this meant the keylogging feature could be re-enabled simply by changing two settings in the Windows Registry configuration database.

As a result, it was relatively easy to repurpose the audio driver to create keylogging spyware, with researcher "DiabloHorn" posting an proof of concept article on how to do so.

HP Inc said there are now SoftPaq updates available for the affected notebook computers that contain the keylogging functionality.

 

[exile360]

Does anyone know if, in patching this issue HP is also deleting any existing logs created by this keylogger?  If not and a user is unaware of the issue or where to find the file, an attacker just has to get access to that file with read permissions (much easier to obtain in most cases than the normal write permissions required by malware) and they've got everything logged prior to the patch being executed.

Edited May 24, 2017 by exile360

[sman]

The vulnerability CVE-2017-8360 https://nvd.nist.gov/vuln/detail/CVE-2017-8360