Industry News

Audio Driver in HP Laptops Acts as Keylogger, Fix Available

HP laptops sporting an audio driver developed by audio chip maker Conexant were found recording all user keystrokes in an unencrypted file.

Security researchers found that some HP laptops are shipped with an audio driver that can record all keyboard activity and store the information locally and unencrypted in a file on the computer’s hard drive. While they believe that this was not an intended “feature” of the audio drive, it does raise serious security concerns as cybercriminals could leverage the existence of the file to gain access to sensitive information, such as passwords, authentication credentials, or any other data.

The driver’s original purpose was to “listen” for the activation of specific keys, but a debugging feature built into it allows for all keystrokes to be logged and saved in an unencrypted file, within a public directory. As a result anyone with local or remote access to the computer can view the complete history of keystroke activities.

“This type of debugging turns the audio driver effectively into keylogging spyware,” wrote the Swiss security researcher. “On the basis of meta-information of the files, this keylogger has already existed on HP computers since at least Christmas 2015.”

Although chip maker Conexant has yet to issue any statement on the matter, HP did state they’re aware of the situation and that the debugging feature implemented by the software developer should have not been included in the final shipping of the product.

“Our supplier partner developed software to test audio functionality prior to product launch and it should not have been included in the final shipped version,” said HP in a statement.

“HP has no access to customer data as a result of this issue. We have identified a fix and will make it available to our customers,” according to the company.

Damaged devices include HP Elitebook, Probook and Zbook laptops running Windows 7 or 10, but a full list of affected HP products can be found here. The unintended “feature” has already been assigned a CVE (CVE-2017-8360).

Users suspecting they may have the Conexant driver installed on their system can search for it themselves and remove it, along with the keylogging log file. Removing the MicTray.exe file (from the following locations: “C:\Windows\System32\” or” C:\Windows\System32\”) and the MicTray.log file, located in “C:\Users\Public\” will remove the keylogging “feature” of the driver.

HP has already issued a publicly available fix for the problem, available via Windows Update or from HP’s official website, addressing device models starting with 2016. For 2015 models, the fix will be available this week.

About the author

Liviu ARSENE

Liviu Arsene is the proud owner of the secret to the fountain of never-ending energy. That's what's been helping him work his everything off as a passionate tech news editor for the past couple of years. He is the youngest and most restless member of the Bitdefender writer team and he covers mobile malware and security topics with fervor and a twist. His passions revolve around gadgets and technology, and he's always ready to write about what's hot and trendy out there in geek universe.

2 Comments

Click here to post a comment

Your email address will not be published. Required fields are marked *

  • How come Bitdefender did not recognize it as a keylogger? it's it supposed to protect us from this kind of threats?

    • Hi Nicu and thanks for expressing your concern. Good question! The thing is it "acted" as a keylogger, but it was a debugging feature that was left active. No data was broadcasted, as it was only stored in a file on disk. An attacker would first have to gain remote access to the computer in order to read or access the file. Bitdefender defends against malware (e.g. keyloggers) that actively hijacks the normal activity of legitimate applications.