Keylogger Found in Audio Drivers on Some HP Machines | Threatpost
An audio driver that comes installed on some HP-manufactured computers records users’ keystrokes and stores them in a world-readable plaintext file, researchers said Thursday.
The culprit appears to be version 126.96.36.199 of MicTray64.exe, a program that comes installed with the Conexant audio driver package on select HP machines.
ModZero, a Swiss security firm, found the file–which it calls a keylogger, and disclosed it Thursday via an advisory on its site. Researchers with the firm say the program monitors all keystrokes made by the user and that it’s been programmed to capture and react to functions such as microphone mute/unmute keys/hotkeys.
The keylogger broadcasts the keystrokes through a debugging interface and writes them to a log file, C:UsersPublicMicTray.log.
ModZero is warning the issue (CVE-2017-8360) could lead to the leaking of sensitive user information, such as passwords. Anyone with access to the unencrypted file system could recover the data. Furthermore, since the program isn’t considered malicious, malware authors wouldn’t have trouble capturing victim’s keystrokes either. Researchers say the keylogger comes registered as a Microsoft Scheduled Task, so it runs after each user login. While the file is overwritten each time, ModZero says it could easily be recruited by a running process or analyzed by someone with forensic tools.
Researchers surmised the software has been recording keystrokes since version 188.8.131.52 was released, on Christmas Eve 2015, but stress that the same problem exists in the most recent version, 184.108.40.206, released last October.
Researchers say it’s not known if the log data is submitted to Conexant or for that matter why the keystrokes are logged being logged in the first place.
Thorsten Schroeder, ModZero’s senior security consultant and CEO, says there’s no proof the program was intentionally implemented but that it mostly demonstrates the developers’ “negligence.”
“If the developer would just disable all logging, using debug-logs only in the development environment, there wouldn’t be problems with the confidentiality of the data of any user,” Schroeder wrote Thursday.
Schroeder says he attempted to contact Conexant about the driver twice, once via email in April and again in May via Twitter, but failed to hear back both times.
@ConexantSystems I’m looking for a software security contact at Conexant. My Email has been ignored. Please DM as soon as possible, thanks.
— THS (@__ths__) May 2, 2017
ModZero also warns the audio driver comes installed on a slew of HP machines, including its EliteBook, Elite x2, ProBook, and ZBook lines, but could exist in other machines. The company also delivers audio drivers for Dell, Lenovo, and Asus machines although at this point it’s not certain they feature the same audio driver.
The firm says the following HP products are affected however:
- HP EliteBook 820 G3 Notebook PC
- HP EliteBook 828 G3 Notebook PC
- HP EliteBook 840 G3 Notebook PC
- HP EliteBook 848 G3 Notebook PC
- HP EliteBook 850 G3 Notebook PC
- HP ProBook 640 G2 Notebook PC
- HP ProBook 650 G2 Notebook PC
- HP ProBook 645 G2 Notebook PC
- HP ProBook 655 G2 Notebook PC
- HP ProBook 450 G3 Notebook PC
- HP ProBook 430 G3 Notebook PC
- HP ProBook 440 G3 Notebook PC
- HP ProBook 446 G3 Notebook PC
- HP ProBook 470 G3 Notebook PC
- HP ProBook 455 G3 Notebook PC
- HP EliteBook 725 G3 Notebook PC
- HP EliteBook 745 G3 Notebook PC
- HP EliteBook 755 G3 Notebook PC
- HP EliteBook 1030 G1 Notebook PC
- HP ZBook 15u G3 Mobile Workstation
- HP Elite x2 1012 G1 Tablet
- HP Elite x2 1012 G1 with Travel Keyboard
- HP Elite x2 1012 G1 Advanced Keyboard
- HP EliteBook Folio 1040 G3 Notebook PC
- HP ZBook 17 G3 Mobile Workstation
- HP ZBook 15 G3 Mobile Workstation
- HP ZBook Studio G3 Mobile Workstation
- HP EliteBook Folio G1 Notebook PC
Conexant Systems, which began as a spinoff of Rockwell International in 1999, makes chips and software for audio and image processing. The company did not immediately return a request for comment Thursday morning.
Schroeder said he attempted to contact HP about the issue as well. A Hewlett-Packard Enterprise security advisor reportedly denied any wrongdoing and contacted members of HP Inc.’s security team earlier this month. After failing to hear back, Schroeder disclosed the issue, including proof of concept code, Thursday morning. Neither HP, nor HPE responded to requests for comment on Thursday.
It’s unclear if this is a feature or a flaw of the driver, but until it’s sorted out ModZero is encouraging HP computer owners to verify whether MicTray.exe is installed on their machines and delete the executable.
“We recommend that you delete or rename the executable files so that no keystrokes are recorded anymore,” Schroeder wrote, “However, the special function keys on the keyboards might no longer work as expected. If a C:UsersPublicMicTray.log file exists on the hard-drive, it should also be deleted immediately, as it can contain a lot of sensitive information such as login-information and passwords.”