HP is shipping audio drivers with a built-in keylogger [Updated]

That fancy new HP EliteBook laptop you just bought? It may be silently recording every keystroke, according to Swiss infosec firm ModZero.

[EN] Keylogger in Hewlett-Packard Audio Driver – Blog post (https://t.co/x1aybAAnKC) and Security Advisory (https://t.co/6ObxOjd0df) — modzero AG (@mod0) May 11, 2017

“This event was off the charts” Gary Vaynerchuk was so impressed with TNW Conference 2016 he paused mid-talk to applaud us. FIND OUT WHY

For what it’s worth, it doesn’t look like there’s malice here – just staggering incompetence.

According to ModZero’s blog post, an update to HP’s audio drivers released in 2015 introduced new diagnostic features. One of these is used to detect if a special key had been pressed or released. Except it seems this was poorly implemented, as the driver ultimately acted like a keylogger, capturing and procesing every single keypress.

A later update to the driver was even more troubling, as it introduced behavior that wrote every single keypress to a log file stored locally on the user’s system. This is found at C:\Users\Public\MicTray.log.

Fortunately, this logfile is wiped every time you logout of your system, but as ModZero points out, if you’ve got any kind of incremental backup system in place, you could effectively be creating a permanent record of everything you type, every day.

ModZero recommends that all users of HP computers “… should check whether the program C:\Windows\System32\MicTray64.exe or C:\Windows\System32\MicTray.exe is installed.” If so, it recommends the executable be deleted or renamed, in order to prevent it from logging keystrokes, although it notes that if you do this, certain special keys may no longer work.

It also recommends that users delete the MicTray log file, as it may contain sensitive information, like passwords and login credentials.

In the security advisory, the company published a list of computers known to be affected. These are as follows:

HP EliteBook 820 G3 Notebook PC

HP EliteBook 828 G3 Notebook PC

HP EliteBook 840 G3 Notebook PC

HP EliteBook 848 G3 Notebook PC

HP EliteBook 850 G3 Notebook PC

HP ProBook 640 G2 Notebook PC

HP ProBook 650 G2 Notebook PC

HP ProBook 645 G2 Notebook PC

HP ProBook 655 G2 Notebook PC

HP ProBook 450 G3 Notebook PC

HP ProBook 430 G3 Notebook PC

HP ProBook 440 G3 Notebook PC

HP ProBook 446 G3 Notebook PC

HP ProBook 470 G3 Notebook PC

HP ProBook 455 G3 Notebook PC

HP EliteBook 725 G3 Notebook PC

HP EliteBook 745 G3 Notebook PC

HP EliteBook 755 G3 Notebook PC

HP EliteBook 1030 G1 Notebook PC

HP ZBook 15u G3 Mobile Workstation

HP Elite x2 1012 G1 Tablet

HP Elite x2 1012 G1 with Travel Keyboard

HP Elite x2 1012 G1 Advanced Keyboard

HP EliteBook Folio 1040 G3 Notebook PC

HP ZBook 17 G3 Mobile Workstation

HP ZBook 15 G3 Mobile Workstation

HP ZBook Studio G3 Mobile Workstation

HP EliteBook Folio G1 Notebook PC

We’ve reached out to HP for more information. If we hear back from them, we’ll update this post.

Update: HP replied to our inquiry with the following comment: “HP is committed to the security of its customers and we are aware of an issue on select HP PCs. We have identified a fix and will make it available to our customers.”

Read next: TNW Conference is teaming up with PayPal and Glownet to go cashless