Keylogger discovered buried in HP audio driver (Updated)

By Shawn Knight May 11, 2017, 12:58 8 comments

Serving tech enthusiasts for over 25 years.
TechSpot means tech analysis and advice you can trust.

Security researchers with Swiss firm modzero have discovered a keylogger buried in an audio driver packaged and distributed by HP since at least Christmas 2015. Although the code doesn't appear to be intentional or malicious by nature, it's alarming nevertheless and affected users should take action to remedy the matter.

Update: HP is in the process of releasing a fix for all affected PCs via Windows Update. According to Axios, a fix for 2016 models was released already, while the patch for older 2015 PCs will be released tomorrow (Friday) on both Windows Update and HP's website.

As the security company explains, some commands to control audio hardware depend on special keypresses to toggle specific functions (turning the microphone on and off or controlling a recording LED on the computer, for example).

Code found in the Conexant audio driver is used to intercept and process keyboard input to determine if a special key is pressed that should trigger a specific audio function. Unfortunately, this crude process inadvertently processes everything then writes it to an unencrypted log file.

Modzero says that even though the file is overwritten after each login, its contents can likely easily be monitored by running processes or using forensic tools. For those that make regular incremental backups, it's possible that a history of all keystrokes from the past couple of years could exist within the backups.

It's rare that a keylogger is implemented for non-malicious use but that appears to be the case here; pure negligence on the part of the developer.

HP computer users are advised to check whether the program C:\Windows\System32\MicTray64.exe or C:\Windows\System32\MicTray.exe is installed. If found, the firm recommends deleting or renaming the executable to prevent keystrokes from being recorded. Doing so, however, may disable special key function but that's a fair trade-off IMO.

Additionally, if a C:\Users\Public\MicTray.log file exists, the firm says to delete it immediately.

Modzero said it attempted to do the right thing by contacting both Conexant Systems Inc. and HP Inc. about the issue before going public but neither company responded to any contact requests. Furthermore, Modzero said HP Enterprise refused any responsibility. In accordance with their Responsible Disclosure process, they decided to go ahead and bring the matter to the public's attention.

8 comments 215 likes and shares

Tech Jobs: Find the next step in your career

Related Stories

Featured on TechSpot