Security researcher Michael Myng also known as ZwClose discovered a driver-level keylogger on HP laptops. The bug has been now solved via an emergency patch issued by Hewlett Packard. Hundreds of HP laptops were affected, including HP G2 Notebooks, the HP Elite x2 1011 G1 tablet, HP EliteBooks, HP ProBooks and HP ZBook models.
Official description of the vulnerability:
A potential security vulnerability has been identified with certain versions of Synaptics touchpad drivers that impacts all Synaptics OEM partners. A party would need administrative privileges in order to take advantage of the vulnerability. Neither Synaptics nor HP has access to customer data as a result of this issue.
Myng came across the keylogger while exploring Synaptics Touchpad SynTP.sys keyboard driver
He analyzed the way keyboards were backlit and came across some weird looking code that resembled a keylogger. “HP had a keylogger in the keyboard driver. The keylogger saved scan codes to a WPP trace. The logging was disabled by default but could be enabled by setting a registry value (UAC required),” the researcher wrote.
Even though logging was disabled by default, it could have been enabled via altering registry values which could have led to the laptop being compromised by malicious software. Trojans and other forms of spyware, for examples, are very likely to leverage keylogging to spy on unsuspecting users.
Fortunately, HP was very swift to respond. Shortly after the researcher messaged the company about the issue he found, they replied by confirming the presence of the keylogger. However, the keylogger turned out to be a debug trace which was adequately removed via the update HP already released.
The patch will also be added to Windows Update.
Not the first time HP features keylogger in their products
This is not the first time such a component was found in HP products. Back in May, security researchers from security firm Modzero unearthed a built-in keylogger in an HP audio driver while examining Windows Active Domain infrastructure.
The initial purpose of the software appeared to be to recognize whether a special key has been pressed or released. The software however was tailored and the developer, Conexant, added a number of diagnostic and debugging features. The features were there to ensure that all keystrokes “are either broadcasted through a debugging interface or written to a log file in a public directory on the hard-drive”. Interestingly, this type of debugging literally transforms the audio driver into a keylogger, which is nothing but a form of spyware.