An audio driver that comes installed on some HP-manufactured computers records users’ keystrokes and stores them in a world-readable plaintext file, researchers said Thursday.
The culprit appears to be version 22.214.171.124 of MicTray64.exe, a program that comes installed with the Conexant audio driver package on select HP machines.
ModZero, a Swiss security firm, found the file–which it calls a keylogger, and disclosed it Thursday via an advisory on its site. Researchers with the firm say the program monitors all keystrokes made by the user and that it’s been programmed to capture and react to functions such as microphone mute/unmute keys/hotkeys.
The keylogger broadcasts the keystrokes through a debugging interface and writes them to a log file, C:\Users\Public\MicTray.log.
ModZero is warning the issue (CVE-2017-8360) could lead to the leaking of sensitive user information, such as passwords. Anyone with access to the unencrypted file system could recover the data. Furthermore, since the program isn’t considered malicious, malware authors wouldn’t have trouble capturing victim’s keystrokes either. Researchers say the keylogger comes registered as a Microsoft Scheduled Task, so it runs after each user login. While the file is overwritten each time, ModZero says it could easily be recruited by a running process or analyzed by someone with forensic tools.
Researchers surmised the software has been recording keystrokes since version 126.96.36.199 was released, on Christmas Eve 2015, but stress that the same problem exists in the most recent version, 188.8.131.52, released last October.
Researchers say it’s not known if the log data is submitted to Conexant or for that matter why the keystrokes are logged being logged in the first place.
Thorsten Schroeder, ModZero’s senior security consultant and CEO, says there’s no proof the program was intentionally implemented but that it mostly demonstrates the developers’ “negligence.”
“If the developer would just disable all logging, using debug-logs only in the development environment, there wouldn’t be problems with the confidentiality of the data of any user,” Schroeder wrote Thursday.
Schroeder says he attempted to contact Conexant about the driver twice, once via email in April and again in May via Twitter, but failed to hear back both times.
ModZero also warns the audio driver comes installed on a slew of HP machines, including its EliteBook, Elite x2, ProBook, and ZBook lines, but could exist in other machines. The company also delivers audio drivers for Dell, Lenovo, and Asus machines although at this point it’s not certain they feature the same audio driver.
The firm says the following HP products are affected however:
Conexant Systems, which began as a spinoff of Rockwell International in 1999, makes chips and software for audio and image processing. The company did not immediately return a request for comment Thursday morning.
Schroeder said he attempted to contact HP about the issue as well. A Hewlett-Packard Enterprise security advisor reportedly denied any wrongdoing and contacted members of HP Inc.’s security team earlier this month. After failing to hear back, Schroeder disclosed the issue, including proof of concept code, Thursday morning. Neither HP, nor HPE responded to requests for comment on Thursday.
It’s unclear if this is a feature or a flaw of the driver, but until it’s sorted out ModZero is encouraging HP computer owners to verify whether MicTray.exe is installed on their machines and delete the executable.
“We recommend that you delete or rename the executable files so that no keystrokes are recorded anymore,” Schroeder wrote, “However, the special function keys on the keyboards might no longer work as expected. If a C:\Users\Public\MicTray.log file exists on the hard-drive, it should also be deleted immediately, as it can contain a lot of sensitive information such as login-information and passwords.”