HP Notebooks: Keylogger in Conexant’s audio driver

[German]It's a nasty surprise, what Thorsten Schröder, from Swiss modzero AG, discovered in Conexant's audio drivers shipped with some HP notebooks. The driver is logging all key strokes and writes it into a public log file – a security night mare.


Advertising

A key logger is a software logging all keystrokes on a keyboard – also passwords may be logged. Finding such a key logger within an audio driver isn't a thing you expected.

A bad surprise during device security check

Security expert Thorsten Schröder has been hired to check the security for HP notebooks for a customer. Analyzing the audio driver showed, that this package logs all keyboard entries into a file. The audio driver has been developed and digitally signed by audio chip manufacturer Conexant. Schröder has documented the issued within this modzero.ch post. Schröder wrote:

Security reviews of modern Windows Active Domain infrastructures are – from our point of view – quite sobering. Therefore, we often look left and right, when, for example, examining the hardening of protection mechanisms of a workstation. Here, we often find all sorts of dangerous and ill-conceived stuff. We want to present one of these casually identified cases now, as it's quite an interesting one: We have discovered a keylogger in an audio driver package by Hewlett-Packard.

And he asks:

So what's the point of a keylogger in an audio driver? Does HP deliver pre-installed spyware? Is HP itself a victim of a backdoored software that third-party vendors have developed on behalf of HP? The responsibility in this case is uncertain, because the software is offered by HP as a driver package for their own devices on their website. On the other hand, the software was developed and digitally signed by the audio chip manufacturer Conexant.

In some cases, audio drivers are used, to detect a keystroke combination to activate or deactivate a microphone. 

A full blown key logger

Schröder found out, that the developers has added a full featured key logger into the audio driver. In version 1.0.0.46 the driver logs all key strokes into the public file:


Advertising

C:\Users\Public\MicTray.log

It seems, that the driver has this 'feature' since December 2015. The driver is shipped with the following file names:

C:\Windows\System32\MicTray64.exe

or

C:\Windows\System32\MicTray.exe

depending on the Windows architecture.

No spyware – no responsibility

Schröder writes: He didn't find signs, that this is an intended backdoor or key logger. Neither HP nor Conexant are claiming they are responsible for this feature. Therefore Schröder published a Security-Advisory. (via 4chan.org, via heise.de).


Advertising

This entry was posted in devices, Security, Windows and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).