genew@telus.net
Date: Thu, 11 May 2017 15:27:19 -0700
Woody Leonhard, InfoWorld, 11 May 2017
The Conexant audio driver logs all keystrokes on certain HP machines and
publishes them to a file in the Public folder
http://www.infoworld.com/article/3196125/data-security/on-hp-computers-check-for-the-conexant-keylogger-called-mictray.html
selected text:
Swiss security firm modzero AG released a white paper (PDF) that contains
details about a keylogger in certain HP audio drivers. The keylogger stores
records of all of your keystrokes in a file located in the public folder
C:\Users\Public\MicTray.log.
The Security Advisory goes on to list almost 30 HP machines known to use the bad drivers, ... including many current models.
Modzero says it found evidence of the problematic behavior going all the way back to December 2015. It's still there today with driver Version 1.0.0.46.
If the logfile does not exist or the setting is not yet available in Windows registry, all keystrokes are passed to the OutputDebugString API, which enables any process in the current user-context to capture keystrokes without exposing malicious behavior.
I have no idea how the driver passed Microsoft certification, but apparently it has.
Modzero isn't happy with the runaround it's getting from HP. The group says
it discovered the keylogger in MicTray 1.0.0.31 back on April 28. Modzero
contacted Conexant the same day, and when the keylogger was found in the
latest audio drivers, it contacted HP Enterprise on May 1. Then on May 5,
modzero got a response from HP Enterprise, which ``tried to reach for
security folks at HP Inc. to gain attention.'' Looks like HP Enterprise and
HP Inc. aren't talking to each other -- I bet they start talking now.
[Also noted by Al Mac;
https://www.modzero.ch/modlog/archives/2017/05/11/en_keylogger_in_hewlett-packard_audio_driver/index.html
https://consumerist.com/2017/05/12/keylogging-spyware-found-on-dozens-of-hp-laptop-models/
https://thenextweb.com/insider/2017/05/11/hp-is-shipping-audio-drivers-with-a-built-in-keylogger/#.tnw_OV69vf8G
HP list of their models affected:
https://www.modzero.ch/advisories/MZ-17-01-Conexant-Keylogger.txt
... and Bob Gezelter: https://arstechnica.com/security/2017/05/hp-laptops-covert-log-every-keystroke-researchers-warn/
PGN]