An audio driver installed in several HP laptops contains a keylogger-type feature that records every keystroke entered into the computer into a log file, according to a security researcher.
Swiss security firm Modzero said in a security advisory posted Thursday that the keylogger activity was discovered in the Conexant HD audio driver package (version 126.96.36.199 and earlier), found on dozens of HP business and enterprise laptop models, including HP Elitebook, ProBook, and ZBook models — including the latest Folio G1 laptop.
Anyone (or malware) with local access to the user’s files on an affected computer, could obtain passwords, visited web addresses, private messages, and other sensitive information.
HP has since rolled out patches to remove the keylogger, which will also delete the log file containing the keystrokes.
A spokesperson for HP said in a brief statement: “HP is committed to the security and privacy of its customers and we are aware of the keylogger issue on select HP PCs. HP has no access to customer data as a result of this issue.”
HP vice-president Mike Nash said on a call after-hours on Thursday that a fix is available on Windows Update and HP.com for newer 2016 and later affected models, with 2015 models receiving patches Friday. He added that the keylogger-type feature was mistakenly added to the driver’s production code and was never meant to be rolled out to end-user devices.
Nash didn’t how many models or customers were affected, but did confirm that some consumer laptops were affected.
He also confirmed that a handful of consumer models that come with Conexant drivers are affected.
The pre-installed audio driver installs a driver located in the Windows system folder, which is scheduled to start every time the user logs in. Modzero describes the application as a crude way to check to see if a hotkey was pressed by monitoring “all keystrokes made by the user to capture and react to functions such as microphone mute/unmute keys/hotkey.”
The application then logs each keystroke into an unencrypted log file stored in the user’s home directory. The log file is overwritten every time the user logs in.
In the case that a log file doesn’t exist, Modzero says that the driver’s API can allow malware to “silently capture sensitive data by capturing the user’s keystrokes.”
Here’s what it looks like (the keystrokes are stored in hexadecimal code):
We weren’t immediately able to confirm the findings, but a security researcher (who wanted to remain nameless) confirmed the findings of the advisory in a message to techhades