Keylogger Found in Audio Driver of HP Laptops, Says Report (bleepingcomputer.com) 116
An anonymous reader writes: The audio driver installed on some HP laptops includes a feature that could best be described as a keylogger, which records all the user's keystrokes and saves the information to a local file, accessible to anyone or any third-party software or malware that knows where to look. Swiss cyber-security firm modzero discovered the keylogger on April 28 and made its findings public today. According to researchers, the keylogger feature was discovered in the Conexant HD Audio Driver Package version 1.0.0.46 and earlier. This is an audio driver that is preinstalled on HP laptops. One of the files of this audio driver is MicTray64.exe (C:\windows\system32\mictray64.exe). This file is registered to start via a Scheduled Task every time the user logs into his computer. According to modzero researchers, the file "monitors all keystrokes made by the user to capture and react to functions such as microphone mute/unmute keys/hotkeys."
Never assume... (Score:3, Insightful)
Re: (Score:3)
Never attribute to one that which can adequately be explained by the other.
Re: Never assume... (Score:1)
Yeah, criminals would love it if everyone thought they were stupid and not malicious. It gets them lesser charges.
Re: (Score:1, Funny)
Re:Never assume... (Score:4, Insightful)
Malice.
It had NO REASON WHATSOEVER to keep a logfile for the keystrokes. Listen to the keyboard for a hotkey or combo? Sure thing, that's what these programs HAVE to do. But a logfile? WHY? Was it gonna check if it MISSED SOMETHING two hours ago?
Re:Never assume... (Score:5, Insightful)
Perhaps used originally for debug, but not removed for release builds. Which would be stupidity.
Re: (Score:2)
This. Competence is not an absolute.
Re: (Score:1)
That is true, not even up for debate in fact. However, given the current climate of computer security (more specifically that major "state actors," or "countries" to the rest of us, are doing everything they can to BREAK computer security), you can't really help but wonder. I mean considering the stuff that's been leaked from the CIA and NSA...a lot of it probably cost a lot of money and a lot of hours to develop, plus the right 0-day exploits bought at the right price...wouldn't it be easier for them, in t
Re: (Score:2)
I agree it's suspicious in light of modern surveillance interests. In fact the best argument I can think of for it being incompetence rather than maliciousness, is the sheer degree of incompetence demonstrated. If it were malicious it would make far more sense to at least mildly encrypt the logfile so that its nature wouldn't be immediately obvious to anyone who stumbled over it. I mean how many obscure binary data files are used in the world? I doubt even security researchers regularly go to the trouble
Re:Never assume... (Score:5, Insightful)
Could well have been for debugging, and they forgot to take it out again.
Re: (Score:2)
Along with the open Telnet and FTP servers.
Right.
Re:Never assume... (Score:4, Insightful)
The developer needed some debug info, and maybe even figured it would be helpful for remote debugging of problems, so they threw in a log file. Probably meant to disable it in the release build, or maybe they were just incompetent and didn't realize what a problem it was.
Spyware Apologist. (Score:1)
Spyware Apologist.
By now you goddamn know a full key logger in an AUDIO driver is unacceptable, full stop. "Oh darn, shouldn't have done that."
All malice can hide behind incompetence.
Re: (Score:2)
But how will I debug issues when QA reports that the volume control hotkeys are not working? I need ALL the key events to see what keys QA was pressing and devise a way to resolve the issue. Usually by closing the bug saying that they misconfigured their keyboard driver as it's not sending the proper multimedia keycodes.
Re: (Score:2)
I wrote a driver for multimedia, including volume keys, over 10 years ago and yes, I did include a key logger functionality in the debug build. That said the only keys I logged were the 'special', non ascii keys. I might have logged all keys on the very early stages of the driver development but I had absolutely no need to capture any of the 'writing' keys and if I wanted to record activity on these I would probably have recorded the event but not the actual character pressed.
Having worked in the software i
Re: (Score:2)
The virtual keycodes in Windows are a little funny. Some ASCII ranges are the letters/numbers on your keyboard. Other values that are ASCII values map to extra keys. 'A' is your A key, but 'a' is the 1 key on the numpad. Lots of funny stuff like that, I suppose you could have some reasonable (islower(c) || isdigit(c)) logic that skips logging at least most of the alphanumeric keys. or you can do if (c >= 0x80) and that will leave out all the alphanumeric keys, a few of the symbols, the numpad, and a few
Oh but they do. (Score:3)
They call it "telemetry" these days, because it sounds better than "spying" and "data exfiltration (theft)".
Maybe we should be trying to find the EULA for the audio driver? I bet it says they can do whatever the fuck they want =)
But is "they" Conexant or HP or Microsoft or everyone?
Re: (Score:1)
Also known as beacons. Check this out...
My HP laptop (now linux) boots normally with no network connected. It also boots normally with a network connected. But if it has Internet-enabled DNS service but no traffic can get through because firewall, it takes an extra minute or more to boot. This is at the BIOS level, before the OS begins loading.
Re: (Score:2)
You could use Wireshark to find out where the data was going. I Couldn't understand why my PC was sending 32K/minute over to one of Microsoft's servers. Turned out this was an executable called nvcontainer.exe as part of the Geforce Experience. From other forums, it seems to scan games downloaded from Steam. Perhaps it does static code analysis on DirectX or OpenGL calls. But it seems a funny way of doing this.
Re: (Score:2)
Online game cheating prevention is one of the things that Intel is including in their marketing information for chipset security features. It isn't clear if this is going to be popular or unpopular with the masses.
Re: (Score:2)
It had NO REASON WHATSOEVER to keep a logfile
I see you've never had to fault find something before.
It had no reason what so ever to keep a log file in production release. There are plenty of reasons to do so in non production releases, and the transition between production and internal releases can be attributed to incompetence.
Re: (Score:3)
Malice seems a reasonable assumption, but I think at this point the verdict has to be "not proven". It is, however, a good reason to avoid HP in either case.
Re:Never assume... (Score:4, Insightful)
I can't sort out how it would be an accident. Sometimes these things are due to debugging modes not being turned off on the production release, but what debugging mode in an audio driver would require logging keystrokes?
Re: (Score:2)
especially if it blows up in the media with wide press coverage.
So, what your saying is nobody is going to lose their job over this? To the unwashed masses, privacy is dead. People are paying for devices with cameras and microphones in them, that literally listen to every word spoken around them. Do you think the public cares that some obscure driver on a laptop is even going to be a blip on the radar? Half of the US population probably couldn't tell you who Conexant is, or what a driver even does. Quick, without looking, does your current device use a Conexant aud
Re: (Score:3)
Re: (Score:2)
So how are you supposed to debug your bug without bugging it? And if you do bug the bug with a debug log don't you risk bugging it anyway?
At least some of the bugs are before you even get to the keyboard, and I know those ones are bugged about being bugged because the bug leaked.
Re: (Score:3)
Well it does say that the driver is looking for things like mute/unmute and other hotkeys, so I guess if you are debugging those functions you may want to log the keystrokes you see.
Re:Never assume... (Score:5, Informative)
but what debugging mode in an audio driver would require logging keystrokes?
One reason would be to replay a sequence of keystrokes to verify that a bug has been fixed.
My company has an internal app that logs input (keystrokes, mouse movements). If the program crashes, the keylog is emailed along with the stack trace to the responsible programming team. This has been a wonderful help for debugging and is WAY more useful than user descriptions of what they were doing. We can see what caused the fault, and after fixing the problem we can replay the input to verify that it is fixed. However, it only records input when this app has the focus, and users are informed that their input is being recorded.
Re: (Score:3)
For this type of product, storing that data might actually make sense to keep. The problem is not that the data is being stored, but rather that it is being stored on disk where anybody with the right access privileges can trivially get to it.
Debug logging is the perfect use case for an in-memory ring buffer. That approach ensures that the data is relatively hard to access (i.e. that it can be accessed only by your debugging tool that knows the magic handshake or whatever). It also ensures that the data
Re: (Score:2)
Re: (Score:2)
it looks like they intended to log the pressing of the volume and mute keys, probably to make sure they were being captured and responded to accurately and reliably. So when the beta tester tells you "the music was playing when I left for lunch but when I came back it was silent so I rebooted it", they can look at the logs and verify that no, right about the time you left for lunch you pressed the Mute button whilst trying to turn off the wifi.
As a developer I can see where it would be a lot easier to simp
Re: (Score:2)
Re: (Score:2)
These days? Everybody and his dog. Personal info is the new currency.
Re: (Score:1)
I don't quite agree with that advice. Perhaps a better rule of thumb would be:
Be suspicious, but don't accuse without proof.
The problem is that if you never "attribute to malice" (i.e. be suspicious) then you will be taken advantage of. That's the reality of human culture: the dishonest ones (of which there are many) can pick out the naive ones as easy as they can sort their laundry. They've been practicing it their entire lives. They know within seconds of meeting a person whether or not they will likely m
Re: (Score:2)
I would actually say that it makes sense to accuse, but to be careful in ones wording so that one did not assert. Something like:
"I find this highly suspicious, and to me it seems the most probable explanation is malice, of course it could be incompetence."
Were the revealed actions of the powerful different, I'd be less apt to estimate probability in this way, and more willing to accept incompetence as the explanation. Of course, in either case one should hesitate to do any further business with them.
Re: (Score:2)
Re: (Score:2)
Stupidity. It is far too obvious (if anybody bothers to look) for anything else. Basically, you type a random number in and then search for it on disk. The only protection against detection it has is that most people do not assume developers are quite this extremely stupid. After Intel last week, I think we can safely assume that even software from big names can contain utterly demented mistakes that are a catastrophe for security.
Re: (Score:1)
Re: (Score:1)
Well, HP should be able to answer that quite easily. I assume that they at least use version control. That should reveal the exact employee who create the logging code. And every person who signed off on the code reviews. And all the chat messages between employees and managers.
It should not be hard for the company to find out what happened... unless the thing was approved by management in some sort of espionage agreement.
My PC is safe it seems (Score:5, Funny)
ls: cannot access 'C:windowssystem32mictray64.exe': No such file or directory
Re: (Score:3, Funny)
Re: (Score:1)
woosh
Re: (Score:2)
ls -l C:\windows\system32\mictray64.exe
ls: C:windowssystem32mictray64.exe: No such file or directory
Funny how Unix, Linux and Mac users are alike these days. The only odd one is Windows.
Re: (Score:2)
You're doing it wrong, you need to quote the path there:
$ ls -l "C:\windows\system32\mictray64.exe"
ls: cannot access C:\windows\system32\mictray64.exe: No such file or directory
Re: (Score:2)
Are you happy now?
Not a problem! (Score:4, Insightful)
Anything capable of reading this is capable of installing its own key logger, so.... non-story.
Still, it shows the stupidity of some programmers. I get you need to debug things but have an on/off setting and disable it by default.
Re:Not a problem! (Score:5, Informative)
Anything capable of reading this is capable of installing its own key logger, so.... non-story.
No, that's not been true since Vista.
Anything wanting to start with Windows and log keystrokes will need to be installed with administrator level permissions, which means a UAC prompt to the user (screen goes dark, everything except the warning message vanishes, if configured the user's password is required).
By pre-installing it HP have provided a handy way for non-privileged malware to perform keylogger functions, without the need for a privilege escalation exploit.
Re: (Score:3)
Er... no.
C:\users\public\MicTray.log
Public has *read and write* permission for anybody in the CREATOR OWNER and INTERACTIVE groups. The latter includes any logged-in user account. So anyone can potentially read the keystrokes of the admin who sat on the machine before them ten years ago while setting up the machine, even if they don't have - and never have had - permission to even install software on a machine.
That's not "non-story".
Installing software that can read the keyboard even when not focused requi
Re: (Score:2)
Shadow Copies.
Re: (Score:2)
This also means that ALL malware has permission to access this file.
Re: (Score:2)
More specifically in user32.dll there is a method called RegisterHotKey, I've used it plenty times, works like a charm, there was/is no need to monitor every keystroke, and definitely no reason to write it all out to disk.
Re: (Score:3)
I'm doing something about it. I made a bunch of snarky comments at lunch and online.
I have one of these laptops (HP 430 G3). (Score:3)
I'm at work right now typing on it. It doesn't have this executable, it doesn't have the Conextant audio driver either.
This does make me curious, though, since I recently tested some newer HP laptops/convertibles which had a noticeable cpu eating process called Flow which is also tied to the Conextant audio driver. [hp.com]
We gave them back so I can't check them but it's an interesting coincidence ...
Re: (Score:2)
It's best practice to wipe a machine as soon as it comes in and to only put back what's absolutely necessary. If the audio works with the windows driver, they wouldn't have put this HP junk back on.
Re: (Score:2)
I used to do this.... until I started purchasing Windows 7 'downgrade' computers with a windows 10 license... and no COA or media for either. Windows 10 licensing works great, until you actually have to do something with it. Try re-installing either OS on one of those PCs. I dare you.
Intent (Score:5, Funny)
-- James Comey
Re: (Score:2)
extremely creless
I see what you did there.
Re: (Score:2)
That seems to be a quote, possibly about something else, but I haven't been able to trace it down.
Jail time (Score:2)
Re: (Score:2)
Not yet, but we will need this if software is ever to be secure. And in particular, we need somebody higher up to go to jail for this, because that is what "responsibility" means. The actual engineers likely saw their prototype declared "ready for production" (has happened to me, but I was forewarned, so it actually was production quality) and that was the end of what they could do.
Linux and GPL forces driver open sourcing (Score:2)
The Linux model of having an unstable kernel ABI, to encourage HW vendors to upstream their drivers suddenly looks the best.
Stuff your Intellectual Property, I'd like safe drivers. I'll even grant you the use of firmware binary blobs. So a very limited release of company secrets.
And people blame (in a corporate shilling way) Android for being unable to upgrade the kernel due to HW vendors not open sourcing their drivers. Google and phone vendors should pressurize them.
Software freedom yields practical gains. (Score:2)
It's the freedom of software that's crucial, not a development methodology of an unstable ABI. Binary firmware blobs are a source of problems; firmware is remarkably powerful and capable and there's no way to have good security with non-free firmware. Firmware for the system persists and provides spying powers that span OSes (install whatever OS, the firmware that acts as a keylogger keeps working). Proprietors including Google make considerable money from spying, but I suspect the real competition for them
Kid heartbroken by surveillance. (Score:5, Insightful)
For one of our displays, we displayed the traffic of a wireless network using a network visualization tool: https://www.youtube.com/watch?... [youtube.com] When the kids connected to the wifi, they could see their traffic. They loved doing different things and seeing what happened.
Somebody had surreptitiously placed a surveillance tracker on a kid's phone. Every thing he did caused a burst of traffic to a remote IP. When he scrolled a screen there was a burst of traffic to that IP, When he typed a character there was a burst of traffic to that IP.. He was absolutely heartbroken when he realized what was going on. His wonderful toy instantly became a treacherous enemy. His friends all took a step back and stared at him like he had become contagious.
I didn't know how to make it better. The best I could say was: "If he is being monitored by a government, they didn't really care what he was doing." Nobody seemed reassured..
Re: (Score:2)
More likely some real creeps installed that and, oh, look, it is his parents! (Just remember the /. story from a few days back.)
Re: (Score:2)
I would've assumed he installed one of the many "free" apps that ask for a million permissions they don't need and then phone home with everything.
Re: (Score:2)
The best I could say was: "If he is being monitored by a government, they didn't really care what he was doing." Nobody seemed reassured..
Far, far more likely a parental monitoring tool.
Re: (Score:3)
The best I could say was: "If he is being monitored by a government, they didn't really care what he was doing." Nobody seemed reassured..
This, by the way, was a mistake to say. If someone cared enough to break the law to monitor him, then that person was probably a serious threat to him.
I realized my mistake later. I was babbling on and on about types of RAT (Remote Access Tools) and the rise of the surveillance state. Eventually I stuttered to a stop when I saw the intense look of horror and betrayal on the kids face. You could not have hurt him more by stabbing him in the back with a knife. No amount of glib "Et tu Brute?" was going to make it better. His world had just become a dark, treacherous place. Somebody that he trusted, did not trust him. And, by placing the tracker on him in se
Re: (Score:2)
Hey Kid, there's a newer model of this phone available for free if you want one.
You did them all a huge favor. (Score:2)
Stop feeling bad for teaching an exceedingly important lesson about real life.
Your next step should have been to show them how to disable/avoid/mitigate as much as possible and show them why their privacy/freedom/security matter not some kind of purposeless guilt.
Also, it's quite likely the spy was their parents not their gov't in that case but I digress.
Re: Kid heartbroken by surveillance. (Score:1)
Break the law? His parents probably bought that phone and if that's the case they can monitor all they want.
Complete list on Bleeping Computer (Score:1)
So who wrote this driver? (Score:2)
GoBack (Score:1)
I really miss GoBack. It was really easy to see things like this when running it. Scan through the log of file changes and note files that shouldn't be changing while you're simply editing a text file. Excellent for removing all forms of viruses except rootkits too, assuming you catch them early enough.
Remember when HP rooted a reporter's laptop? (Score:2)
All because they were unhappy with their press coverage? Why is anyone surprised that they stooped to this?