That fancy new HP EliteBook laptop you just bought? It may be silently recording every keystroke, according to Swiss infosec firm ModZero.
[EN] Keylogger in Hewlett-Packard Audio Driver – Blog post (https://t.co/x1aybAAnKC) and Security Advisory (https://t.co/6ObxOjd0df) — modzero AG (@mod0) May 11, 2017
Ever been to a tech festival? TNW Conference won best European Event 2016 for our festival vibe. See what's in store for 2017. LEARN MORE
For what it’s worth, it doesn’t look like there’s malice here – just staggering incompetence.
According to ModZero’s blog post, an update to HP’s audio drivers released in 2015 introduced new diagnostic features. One of these is used to detect if a special key had been pressed or released. Except it seems this was poorly implemented, as the driver ultimately acted like a keylogger, capturing and procesing every single keypress.
A later update to the driver was even more troubling, as it introduced behavior that wrote every single keypress to a log file stored locally on the user’s system. This is found at C:\Users\Public\MicTray.log.
Fortunately, this logfile is wiped every time you logout of your system, but as ModZero points out, if you’ve got any kind of incremental backup system in place, you could effectively be creating a permanent record of everything you type, every day.
ModZero recommends that all users of HP computers “… should check whether the program C:\Windows\System32\MicTray64.exe or C:\Windows\System32\MicTray.exe is installed.” If so, it recommends the executable be deleted or renamed, in order to prevent it from logging keystrokes, although it notes that if you do this, certain special keys may no longer work.
It also recommends that users delete the MicTray log file, as it may contain sensitive information, like passwords and login credentials.
In the security advisory, the company published a list of computers known to be affected. These are as follows:
HP EliteBook 820 G3 Notebook PC
HP EliteBook 828 G3 Notebook PC
HP EliteBook 840 G3 Notebook PC
HP EliteBook 848 G3 Notebook PC
HP EliteBook 850 G3 Notebook PC
HP ProBook 640 G2 Notebook PC
HP ProBook 650 G2 Notebook PC
HP ProBook 645 G2 Notebook PC
HP ProBook 655 G2 Notebook PC
HP ProBook 450 G3 Notebook PC
HP ProBook 430 G3 Notebook PC
HP ProBook 440 G3 Notebook PC
HP ProBook 446 G3 Notebook PC
HP ProBook 470 G3 Notebook PC
HP ProBook 455 G3 Notebook PC
HP EliteBook 725 G3 Notebook PC
HP EliteBook 745 G3 Notebook PC
HP EliteBook 755 G3 Notebook PC
HP EliteBook 1030 G1 Notebook PC
HP ZBook 15u G3 Mobile Workstation
HP Elite x2 1012 G1 Tablet
HP Elite x2 1012 G1 with Travel Keyboard
HP Elite x2 1012 G1 Advanced Keyboard
HP EliteBook Folio 1040 G3 Notebook PC
HP ZBook 17 G3 Mobile Workstation
HP ZBook 15 G3 Mobile Workstation
HP ZBook Studio G3 Mobile Workstation
HP EliteBook Folio G1 Notebook PC
We’ve reached out to HP for more information. If we hear back from them, we’ll update this post.
Read next: TNW Conference is teaming up with PayPal and Glownet to go cashless
_My_Angry_Account_ on May 11st, 2017 at 13:31 UTC »
I just added a registry key that will prevent it from ever being able to run on my computer, even manually:
Start the Registry Editor (regedit).
In the Registry Editor, navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\currentversion\image file execution options.
Right click on image file execution options > New > Key
Name the new key MicTray.exe
Right click new MicTray.exe key > New > String value
Name the new value debugger
Set new "debugger" string value data to: devenv /debugexe
It forces any .exe file named MicTray to go through a debugger and this causes it to fail. This is also how I nerfed the GWX.exe that would auto upgrade computers to Windows X.
MrSelatcia on May 11st, 2017 at 13:14 UTC »
HP, where incompetence is standard practice.
Schnoofles on May 11st, 2017 at 12:59 UTC »
Well, that just sounds like a wonderful target for any malware looking to exfil data. Good job, hp