A computer security researcher have discovered that a Conexant audio driver shipped with many HP laptops and tablet PCs logs keystrokes, making it easier for malicious actors to steal potentially sensitive information without being detected by the user.The Swiss cyber-security firm modzero discovered the keylogger on April 28 and made its findings public today.
The audio driver installed in several HP laptops contains a keylogger-type feature that records every keystroke entered into the computer into a log file, according to the IT security researcher.
Swiss security firm Modzero said in a security advisory posted Thursday that the keylogger activity was discovered in the Conexant HD audio driver package (version 220.127.116.11 and earlier), found on dozens of HP business and enterprise laptop models, including HP Elitebook, ProBook, and ZBook models — including the latest Folio G1 laptops.
Modzero researchers said they found the Conexant HD Audio Driver Package preinstalled on 28 HP laptop models. Other hardware that uses this driver may also be affected, but investigators haven’t officially confirmed that the issue affects other manufacturers.
The independent Swiss company modzero AG was founded in early 2011 by Max Moser and Thorsten Schröder, to assist clients with specific security issues in the complex areas of different computer technology.modzero AG does not wish to simply sell clients a finished product from the security services portfolio – but rather provide a consultative approach by cooperating with the client to produce a tailor-made solution.
Their focus lies clearly on highly-detailed technical analysis of concepts, software and hardware components as well as the development of individual solution proposals for resolving predominantly very specific protection requirements of our clients. Immense time and cost pressures are often triggered by a specific vulnerability in the product design or the threat model.
This leads to sensitive user data, including passwords, getting logged to easily accessible locations. A piece of malware could exploit the flaw to steal data without alerting antimalware products that look for suspicious behavior, the researcher warned.
“There is no evidence that this keylogger has been intentionally implemented. Obviously, it is a negligence of the developers – which makes the software no less harmful,” Schroeder said in a blog post. “If the developer would just disable all logging, using debug-logs only in the development environment, there wouldn’t be problems with the confidentiality of the data of any user.”
The researcher pointed out that an earlier version of the MicTray64 app released in December 2015 did not log keystrokes to a file. This functionality was introduced in version 18.104.22.168, released in October 2016. It’s unclear if any of the logged data is being sent back to Conexant servers.
For now, ModZero recommends that users check for and delete or rename the MicTray64 and MicTray applications (located at C:\Windows\System32\). If you aren’t comfortable accessing protected file space within Windows, ask someone for help — mucking around in the System32 directory without knowing what you’re doing can destroy your OS installation.