[German]It's a nasty surprise, what Thorsten Schröder, from Swiss modzero AG, discovered in Conexant's audio drivers shipped with some HP notebooks. The driver is logging all key strokes and writes it into a public log file – a security night mare.
Advertising
A key logger is a software logging all keystrokes on a keyboard – also passwords may be logged. Finding such a key logger within an audio driver isn't a thing you expected.
A bad surprise during device security check
Security expert Thorsten Schröder has been hired to check the security for HP notebooks for a customer. Analyzing the audio driver showed, that this package logs all keyboard entries into a file. The audio driver has been developed and digitally signed by audio chip manufacturer Conexant. Schröder has documented the issued within this modzero.ch post. Schröder wrote:
Security reviews of modern Windows Active Domain infrastructures are – from our point of view – quite sobering. Therefore, we often look left and right, when, for example, examining the hardening of protection mechanisms of a workstation. Here, we often find all sorts of dangerous and ill-conceived stuff. We want to present one of these casually identified cases now, as it's quite an interesting one: We have discovered a keylogger in an audio driver package by Hewlett-Packard.
And he asks:
So what's the point of a keylogger in an audio driver? Does HP deliver pre-installed spyware? Is HP itself a victim of a backdoored software that third-party vendors have developed on behalf of HP? The responsibility in this case is uncertain, because the software is offered by HP as a driver package for their own devices on their website. On the other hand, the software was developed and digitally signed by the audio chip manufacturer Conexant.
In some cases, audio drivers are used, to detect a keystroke combination to activate or deactivate a microphone.
A full blown key logger
Schröder found out, that the developers has added a full featured key logger into the audio driver. In version 1.0.0.46 the driver logs all key strokes into the public file:
Advertising
C:\Users\Public\MicTray.log
It seems, that the driver has this 'feature' since December 2015. The driver is shipped with the following file names:
C:\Windows\System32\MicTray64.exe
or
C:\Windows\System32\MicTray.exe
depending on the Windows architecture.
No spyware – no responsibility
Schröder writes: He didn't find signs, that this is an intended backdoor or key logger. Neither HP nor Conexant are claiming they are responsible for this feature. Therefore Schröder published a Security-Advisory. (via 4chan.org, via heise.de).
Advertising