Are you the owner of an HP laptop? Then read carefully. Security researchers from security firm Modzero came across a built-in keylogger in an HP audio driver while examining Windows Active Domain infrastructure.
“Security reviews of modern Windows Active Domain infrastructures are – from our point of view – quite sobering. Therefore, we often look left and right, when, for example, examining the hardening of protection mechanisms of a workstation,” the researchers wrote.
Researchers Find Keylogger In An Audio Driver
What would be the reason of a keylogger in an audio drive, you may be wondering? One thing that comes to mind is that HP is delivering pre-installed spyware, or it is itself a victim of backdoored software. Even though it is not exactly clear who is responsible for the presence of the keylogger, the case is certainly troublesome.
Another question to be asked is who developed and signed the software, and the answer is the audio chip manufacturer Conexant. The company manufactures integrated circuits, emerging from a US armaments manufacturer, the researchers point out. Because they develop circuits for video and audio processing, it is somewhat logical that Conexant audio ICs to be populated on the sound cards of various computers.
Conexant also develops drivers for its audio chips, so that the operating system is able to communicate with the hardware. Apparently, there are some parts for the control of the audio hardware, which are very specific and depend on the computer model – for example special keys for turning on or off a microphone or controlling the recording LED on the computer. In this code, which seems to be tailored to HP computers, there is a part that intercepts and processes all keyboard input.
The initial purpose of the software appears to be to recognize whether a special key has been pressed or released. The software however has been tailored and the developer has added a number of diagnostic and debugging features. The features serve to ensure that all keystrokes “are either broadcasted through a debugging interface or written to a log file in a public directory on the hard-drive”. Interestingly, this type of debugging literally transforms the audio driver into a keylogger, a form of spyware.
What is worse is that the keylogger has apparently been present on HP computers since Christmas 2015 or even earlier.
Version 18.104.22.168 of this program was later extended by even more problematic functions: The most recent version 22.214.171.124 implements the logging of all keystrokes into the publicly for any user readable file C:\Users\Public\MicTray.log. Although the file is overwritten after each login, the content is likely to be easily monitored by running processes or forensic tools.
The researchers add that they couldn’t find any evidence of the keylogger being intentionally implemented.