Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
Security HP Privacy

Keylogger Found in Audio Driver of HP Laptops, Says Report ( 116

An anonymous reader writes: The audio driver installed on some HP laptops includes a feature that could best be described as a keylogger, which records all the user's keystrokes and saves the information to a local file, accessible to anyone or any third-party software or malware that knows where to look. Swiss cyber-security firm modzero discovered the keylogger on April 28 and made its findings public today. According to researchers, the keylogger feature was discovered in the Conexant HD Audio Driver Package version and earlier. This is an audio driver that is preinstalled on HP laptops. One of the files of this audio driver is MicTray64.exe (C:\windows\system32\mictray64.exe). This file is registered to start via a Scheduled Task every time the user logs into his computer. According to modzero researchers, the file "monitors all keystrokes made by the user to capture and react to functions such as microphone mute/unmute keys/hotkeys."
This discussion has been archived. No new comments can be posted.

Keylogger Found in Audio Driver of HP Laptops, Says Report

Comments Filter:
  • Never assume... (Score:3, Insightful)

    by thegreatbob ( 693104 ) on Thursday May 11, 2017 @11:29AM (#54399943) Journal
    Was this malice or stupidity? Perhaps both?
    • Never attribute to one that which can adequately be explained by the other.

      • by Anonymous Coward

        Yeah, criminals would love it if everyone thought they were stupid and not malicious. It gets them lesser charges.

        • Re: (Score:1, Funny)

          by Anonymous Coward
          Just ask Hillary ....
    • Re:Never assume... (Score:4, Insightful)

      by Calydor ( 739835 ) on Thursday May 11, 2017 @11:34AM (#54399991)


      It had NO REASON WHATSOEVER to keep a logfile for the keystrokes. Listen to the keyboard for a hotkey or combo? Sure thing, that's what these programs HAVE to do. But a logfile? WHY? Was it gonna check if it MISSED SOMETHING two hours ago?

      • Re:Never assume... (Score:5, Insightful)

        by Anonymous Coward on Thursday May 11, 2017 @11:41AM (#54400053)

        Perhaps used originally for debug, but not removed for release builds. Which would be stupidity.

        • This. Competence is not an absolute.

          • by Anonymous Coward

            That is true, not even up for debate in fact. However, given the current climate of computer security (more specifically that major "state actors," or "countries" to the rest of us, are doing everything they can to BREAK computer security), you can't really help but wonder. I mean considering the stuff that's been leaked from the CIA and NSA...a lot of it probably cost a lot of money and a lot of hours to develop, plus the right 0-day exploits bought at the right price...wouldn't it be easier for them, in t

            • I agree it's suspicious in light of modern surveillance interests. In fact the best argument I can think of for it being incompetence rather than maliciousness, is the sheer degree of incompetence demonstrated. If it were malicious it would make far more sense to at least mildly encrypt the logfile so that its nature wouldn't be immediately obvious to anyone who stumbled over it. I mean how many obscure binary data files are used in the world? I doubt even security researchers regularly go to the trouble

      • Re:Never assume... (Score:5, Insightful)

        by Wonda ( 457426 ) on Thursday May 11, 2017 @11:57AM (#54400197)

        Could well have been for debugging, and they forgot to take it out again.

      • Re:Never assume... (Score:4, Insightful)

        by AmiMoJo ( 196126 ) <> on Thursday May 11, 2017 @12:01PM (#54400233) Homepage Journal

        The developer needed some debug info, and maybe even figured it would be helpful for remote debugging of problems, so they threw in a log file. Probably meant to disable it in the release build, or maybe they were just incompetent and didn't realize what a problem it was.

        • by Anonymous Coward

          Spyware Apologist.

          By now you goddamn know a full key logger in an AUDIO driver is unacceptable, full stop. "Oh darn, shouldn't have done that."

          All malice can hide behind incompetence.

          • But how will I debug issues when QA reports that the volume control hotkeys are not working? I need ALL the key events to see what keys QA was pressing and devise a way to resolve the issue. Usually by closing the bug saying that they misconfigured their keyboard driver as it's not sending the proper multimedia keycodes.

            • by sodul ( 833177 )

              I wrote a driver for multimedia, including volume keys, over 10 years ago and yes, I did include a key logger functionality in the debug build. That said the only keys I logged were the 'special', non ascii keys. I might have logged all keys on the very early stages of the driver development but I had absolutely no need to capture any of the 'writing' keys and if I wanted to record activity on these I would probably have recorded the event but not the actual character pressed.

              Having worked in the software i

              • The virtual keycodes in Windows are a little funny. Some ASCII ranges are the letters/numbers on your keyboard. Other values that are ASCII values map to extra keys. 'A' is your A key, but 'a' is the 1 key on the numpad. Lots of funny stuff like that, I suppose you could have some reasonable (islower(c) || isdigit(c)) logic that skips logging at least most of the alphanumeric keys. or you can do if (c >= 0x80) and that will leave out all the alphanumeric keys, a few of the symbols, the numpad, and a few

      • They call it "telemetry" these days, because it sounds better than "spying" and "data exfiltration (theft)".

        Maybe we should be trying to find the EULA for the audio driver? I bet it says they can do whatever the fuck they want =)

        But is "they" Conexant or HP or Microsoft or everyone?

        • by Anonymous Coward

          Also known as beacons. Check this out...

          My HP laptop (now linux) boots normally with no network connected. It also boots normally with a network connected. But if it has Internet-enabled DNS service but no traffic can get through because firewall, it takes an extra minute or more to boot. This is at the BIOS level, before the OS begins loading.

        • by mikael ( 484 )

          You could use Wireshark to find out where the data was going. I Couldn't understand why my PC was sending 32K/minute over to one of Microsoft's servers. Turned out this was an executable called nvcontainer.exe as part of the Geforce Experience. From other forums, it seems to scan games downloaded from Steam. Perhaps it does static code analysis on DirectX or OpenGL calls. But it seems a funny way of doing this.

          • Online game cheating prevention is one of the things that Intel is including in their marketing information for chipset security features. It isn't clear if this is going to be popular or unpopular with the masses.

      • It had NO REASON WHATSOEVER to keep a logfile

        I see you've never had to fault find something before.

        It had no reason what so ever to keep a log file in production release. There are plenty of reasons to do so in non production releases, and the transition between production and internal releases can be attributed to incompetence.

      • by HiThere ( 15173 )

        Malice seems a reasonable assumption, but I think at this point the verdict has to be "not proven". It is, however, a good reason to avoid HP in either case.

    • Re:Never assume... (Score:4, Insightful)

      by MightyMartian ( 840721 ) on Thursday May 11, 2017 @11:35AM (#54399997) Journal

      I can't sort out how it would be an accident. Sometimes these things are due to debugging modes not being turned off on the production release, but what debugging mode in an audio driver would require logging keystrokes?

      • Not to mention that bugging is the polar opposite of debugging.
        • So how are you supposed to debug your bug without bugging it? And if you do bug the bug with a debug log don't you risk bugging it anyway?

          At least some of the bugs are before you even get to the keyboard, and I know those ones are bugged about being bugged because the bug leaked.

      • by bws111 ( 1216812 )

        Well it does say that the driver is looking for things like mute/unmute and other hotkeys, so I guess if you are debugging those functions you may want to log the keystrokes you see.

      • Re:Never assume... (Score:5, Informative)

        by ShanghaiBill ( 739463 ) on Thursday May 11, 2017 @11:57AM (#54400205)

        but what debugging mode in an audio driver would require logging keystrokes?

        One reason would be to replay a sequence of keystrokes to verify that a bug has been fixed.

        My company has an internal app that logs input (keystrokes, mouse movements). If the program crashes, the keylog is emailed along with the stack trace to the responsible programming team. This has been a wonderful help for debugging and is WAY more useful than user descriptions of what they were doing. We can see what caused the fault, and after fixing the problem we can replay the input to verify that it is fixed. However, it only records input when this app has the focus, and users are informed that their input is being recorded.

        • by dgatwood ( 11270 )

          For this type of product, storing that data might actually make sense to keep. The problem is not that the data is being stored, but rather that it is being stored on disk where anybody with the right access privileges can trivially get to it.

          Debug logging is the perfect use case for an in-memory ring buffer. That approach ensures that the data is relatively hard to access (i.e. that it can be accessed only by your debugging tool that knows the magic handshake or whatever). It also ensures that the data

      • Well it has to capture keystrokes, so I guess if the developer was having trouble w/ that the log would be useful. Not appropriate for release of course.
      • by v1 ( 525388 )

        it looks like they intended to log the pressing of the volume and mute keys, probably to make sure they were being captured and responded to accurately and reliably. So when the beta tester tells you "the music was playing when I left for lunch but when I came back it was silent so I rebooted it", they can look at the logs and verify that no, right about the time you left for lunch you pressed the Mute button whilst trying to turn off the wifi.

        As a developer I can see where it would be a lot easier to simp

    • How could this be stupidity? Who accidentally adds keylogging code to an audio driver?
    • by Anonymous Coward

      I don't quite agree with that advice. Perhaps a better rule of thumb would be:

      Be suspicious, but don't accuse without proof.

      The problem is that if you never "attribute to malice" (i.e. be suspicious) then you will be taken advantage of. That's the reality of human culture: the dishonest ones (of which there are many) can pick out the naive ones as easy as they can sort their laundry. They've been practicing it their entire lives. They know within seconds of meeting a person whether or not they will likely m

      • by HiThere ( 15173 )

        I would actually say that it makes sense to accuse, but to be careful in ones wording so that one did not assert. Something like:
        "I find this highly suspicious, and to me it seems the most probable explanation is malice, of course it could be incompetence."

        Were the revealed actions of the powerful different, I'd be less apt to estimate probability in this way, and more willing to accept incompetence as the explanation. Of course, in either case one should hesitate to do any further business with them.

    • by gweihir ( 88907 )

      Stupidity. It is far too obvious (if anybody bothers to look) for anything else. Basically, you type a random number in and then search for it on disk. The only protection against detection it has is that most people do not assume developers are quite this extremely stupid. After Intel last week, I think we can safely assume that even software from big names can contain utterly demented mistakes that are a catastrophe for security.

    • Stupid is, as stupid does.
    • Well, HP should be able to answer that quite easily. I assume that they at least use version control. That should reveal the exact employee who create the logging code. And every person who signed off on the code reviews. And all the chat messages between employees and managers.

      It should not be hard for the company to find out what happened... unless the thing was approved by management in some sort of espionage agreement.

  • by hcs_$reboot ( 1536101 ) on Thursday May 11, 2017 @11:35AM (#54399995)
    # ls -l C:\windows\system32\mictray64.exe
    ls: cannot access 'C:windowssystem32mictray64.exe': No such file or directory
    • Re: (Score:3, Funny)

      by AnthonywC ( 4415891 )
      You can running windows; you are not safe.
    • ls -l C:\windows\system32\mictray64.exe
      ls: C:windowssystem32mictray64.exe: No such file or directory

      Funny how Unix, Linux and Mac users are alike these days. The only odd one is Windows.

      • by Kardos ( 1348077 )

        You're doing it wrong, you need to quote the path there:

        $ ls -l "C:\windows\system32\mictray64.exe"
        ls: cannot access C:\windows\system32\mictray64.exe: No such file or directory

  • Not a problem! (Score:4, Insightful)

    by Joce640k ( 829181 ) on Thursday May 11, 2017 @11:36AM (#54400011) Homepage

    Anything capable of reading this is capable of installing its own key logger, so.... non-story.

    Still, it shows the stupidity of some programmers. I get you need to debug things but have an on/off setting and disable it by default.

    • Re:Not a problem! (Score:5, Informative)

      by AmiMoJo ( 196126 ) <> on Thursday May 11, 2017 @11:58AM (#54400213) Homepage Journal

      Anything capable of reading this is capable of installing its own key logger, so.... non-story.

      No, that's not been true since Vista.

      Anything wanting to start with Windows and log keystrokes will need to be installed with administrator level permissions, which means a UAC prompt to the user (screen goes dark, everything except the warning message vanishes, if configured the user's password is required).

      By pre-installing it HP have provided a handy way for non-privileged malware to perform keylogger functions, without the need for a privilege escalation exploit.

    • by ledow ( 319597 )

      Er... no.


      Public has *read and write* permission for anybody in the CREATOR OWNER and INTERACTIVE groups. The latter includes any logged-in user account. So anyone can potentially read the keystrokes of the admin who sat on the machine before them ten years ago while setting up the machine, even if they don't have - and never have had - permission to even install software on a machine.

      That's not "non-story".

      Installing software that can read the keyboard even when not focused requi

    • Who ever wrote the driver is an idiot, you don't have to record every bloody keystroke for hot keys, it's built into the windows api.
      More specifically in user32.dll there is a method called RegisterHotKey, I've used it plenty times, works like a charm, there was/is no need to monitor every keystroke, and definitely no reason to write it all out to disk.
  • by waspleg ( 316038 ) on Thursday May 11, 2017 @12:04PM (#54400251) Journal

    I'm at work right now typing on it. It doesn't have this executable, it doesn't have the Conextant audio driver either.

    This does make me curious, though, since I recently tested some newer HP laptops/convertibles which had a noticeable cpu eating process called Flow which is also tied to the Conextant audio driver. []

    We gave them back so I can't check them but it's an interesting coincidence ...

    • by E-Rock ( 84950 )

      It's best practice to wipe a machine as soon as it comes in and to only put back what's absolutely necessary. If the audio works with the windows driver, they wouldn't have put this HP junk back on.

      • It's best practice to wipe a machine as soon as it comes in and to only put back what's absolutely necessary. If the audio works with the windows driver, they wouldn't have put this HP junk back on.

        I used to do this.... until I started purchasing Windows 7 'downgrade' computers with a windows 10 license... and no COA or media for either. Windows 10 licensing works great, until you actually have to do something with it. Try re-installing either OS on one of those PCs. I dare you.

  • Intent (Score:5, Funny)

    by OhSoLaMeow ( 2536022 ) on Thursday May 11, 2017 @12:33PM (#54400459)
    "Although we did not find clear evidence that HPs intended to violate laws governing the handling of the keylogged information, there is evidence that they were extremely creless in their handling of very sensitive information."

    -- James Comey
  • If I put a tape recorder in a device and sold it to someone I'd go to jail. Audio drivers don't need keyloggers. Someone needs to go to jail.
    • by gweihir ( 88907 )

      Not yet, but we will need this if software is ever to be secure. And in particular, we need somebody higher up to go to jail for this, because that is what "responsibility" means. The actual engineers likely saw their prototype declared "ready for production" (has happened to me, but I was forewarned, so it actually was production quality) and that was the end of what they could do.

  • The Linux model of having an unstable kernel ABI, to encourage HW vendors to upstream their drivers suddenly looks the best.
    Stuff your Intellectual Property, I'd like safe drivers. I'll even grant you the use of firmware binary blobs. So a very limited release of company secrets.

    And people blame (in a corporate shilling way) Android for being unable to upgrade the kernel due to HW vendors not open sourcing their drivers. Google and phone vendors should pressurize them.

    • It's the freedom of software that's crucial, not a development methodology of an unstable ABI. Binary firmware blobs are a source of problems; firmware is remarkably powerful and capable and there's no way to have good security with non-free firmware. Firmware for the system persists and provides spying powers that span OSes (install whatever OS, the firmware that acts as a keylogger keeps working). Proprietors including Google make considerable money from spying, but I suspect the real competition for them

  • by dweller_below ( 136040 ) on Thursday May 11, 2017 @01:11PM (#54400681)
    Recently we had a career fair for high school kids. Everybody was there. The kids loved it.

    For one of our displays, we displayed the traffic of a wireless network using a network visualization tool: [] When the kids connected to the wifi, they could see their traffic. They loved doing different things and seeing what happened.

    Somebody had surreptitiously placed a surveillance tracker on a kid's phone. Every thing he did caused a burst of traffic to a remote IP. When he scrolled a screen there was a burst of traffic to that IP, When he typed a character there was a burst of traffic to that IP.. He was absolutely heartbroken when he realized what was going on. His wonderful toy instantly became a treacherous enemy. His friends all took a step back and stared at him like he had become contagious.

    I didn't know how to make it better. The best I could say was: "If he is being monitored by a government, they didn't really care what he was doing." Nobody seemed reassured..

    • by gweihir ( 88907 )

      More likely some real creeps installed that and, oh, look, it is his parents! (Just remember the /. story from a few days back.)

    • I would've assumed he installed one of the many "free" apps that ask for a million permissions they don't need and then phone home with everything.

    • by rhazz ( 2853871 )

      The best I could say was: "If he is being monitored by a government, they didn't really care what he was doing." Nobody seemed reassured..

      Far, far more likely a parental monitoring tool.

  • The write up on Bleeping Computer lists all of the suspect HP models: https://www.bleepingcomputer.c... [] Sure enough, I found MicTray running on one of our 640 models.
  • This is getting scary. Even the 3rd party components in M$ Window$ is tainted. What's next? keystroke loggers in our browsers. This is why I use open source on my desktop and my phone. If something is there, it's at least easier to find anyone doing nonsense.
  • by Anonymous Coward

    I really miss GoBack. It was really easy to see things like this when running it. Scan through the log of file changes and note files that shouldn't be changing while you're simply editing a text file. Excellent for removing all forms of viruses except rootkits too, assuming you catch them early enough.

  • All because they were unhappy with their press coverage? Why is anyone surprised that they stooped to this?

The optimum committee has no members. -- Norman Augustine