HP pushes out fix for keylogging audio driver in its laptops
Swiss security consultancy Modzero revealed on Thursday that a number of HP laptops contain an audio driver that logs users’ keystrokes and stores them in an unencrypted file on the local system.
After repeatedly failing to get concrete answers from both HP and Conexant Systems (the audio driver’s vendor), they went public with the flaw (CVE-2017-8360).
The vulnerability
The vulnerability does not seem intentional – the real goal of the Conexant HD Audio Driver is to detect when users increase or lower the volume or mute sound altogether by pressing a physical key.
Unfortunately, it’s a clunky solution that could allow malware – or just a malicious attacker with physical or remote access to the computer – to access the log file created by the driver, and thus discover passwords or other sensitive information the user has entered.
The log file created by the driver is located in C:\Users\Public\MicTray.log, and is overwritten each time the user logs in, but will be present in backups. If the user is doing regular backups, anyone who has access to them would be able to piece together information about the user’s activity.
“If the logfile does not exist or the setting is not yet available in Windows registry, all keystrokes are passed to the OutputDebugString API, which enables any process in the current user-context to capture keystrokes without exposing malicious behavior,” the researchers added. “Any framework and process with access to the MapViewOfFile API should be able to silently capture sensitive data by capturing the user’s keystrokes.”
Affected computer models
Among the affected machines are various HP Elitebooks, HP ProBooks, HP ZBooks, and HP Elites.
Users can check whether their machines are among them by checking whether the MicTray.exe or MicTray64.exe file is present in C:\Windows\System32\.
According to information received by ZDNet, HP has already pushed out a fix for the issue, which is available on Windows Update and HP.com for newer 2016 and later affected models. A fix for 2015 models is scheduled to be pushed out on Friday.
HP VP Mike Nash also noted that the code for this functionality was introduced by mistake. This statement rings true, as there is no indication that the keystrokes log file is ever uploaded anywhere.
It’s good to note, at the end, that this vulnerability is likely present in machines by other other hardware vendors, if they ship Conexant hardware and drivers.
Conexant is yet to offer a comment on this whole situation.