[German]A few days ago I've reported about a key logger within HP's Conexant audio drivers for several devices. HP claimed this key logger has been left accidentally within the driver and offered quickly an update to 'remove' the key logger. But what would you think, if the key logger hasn't removed? Addendum: A 2nd update has changed the situation again.
Advertising
Recently I 've learned, we are living in an age of 'alternative facts & fake news'. And from movies I learned that there ist a 'good cop, bad cop' game. Media has applauded HP for their quick update for the audio driver. But we have to have a closer look.
What's the matter?
Some HP notebooks with Conexant audio chips (see the list within this Security Advisory) has been shipped since 2015 with a 'special' audio driver. This driver contains a key logger, writing all keystroke into a text file located at:
C:\Users\Public\MicTray.log
Security researcher Thorsten Schröder detected this key logger within the audio driver during a security audit for a customer on a HP driver package. I've written about this topic within my blog post HP Notebooks: Keylogger in Conexant's audio driver.
HP says, the key logger should have never been shipped and left accidentally within the driver. The company offers immediately a driver update, that is believed to remove the key logger.
Advertising
The direction light problem: on, off, on, off ported to a key logger …
Probably HP's management and the driver developers has been under a great time pressure. So they took the lection from 'alternative facts' and offered an update to remove logging keystrokes into the text files. But it seems only a placebo, as security analyst Thorsten Schröder found out and reported within this tweet:
#HP did not remove the #keylogger functions in new version. Simply turn it on by setting SeeScanCode and EnableLog = 1 in Windows Registry. pic.twitter.com/321uLSDP7s
— THS (@__ths__) 13. Mai 2017
Uh, the key logger hasn't been removed, they just deactivated it via registry DWORD entries SeeScanCode=1 and EnableLog = 1. Schröder doesn't mentioned the registry key in detail, but we could ask the sysinternals tool Procmon for details. But it seems that isn't necessary. According to this article, the search should go to key:
HKEY_CURRENT_USER\Software\Conexant\
and probably to the HKLM pendant. The HKCU entry may be changed without administrator permissions.
Final thoughts
The folks at HP/Conexant must be in a great hurry, or they are just stupid. HP has been catched with its finger in a honey pot again. We just learned the WannyCry backdoor debacle the hard way – and now we have another backdoor. Enabling this key logger to report all keystroke remotely is not difficult, as you can read within this article.
Addendum: A 2nd update removed the key logger
HP has released another update for the Conexant HD Audio Driver on impacted machines. According to German IT site heise.de, and this tweet:
Aaaaaand it's gone… // cc @pHiPs209 #hp #conexant #keylogger pic.twitter.com/6tN3dwTnGU
— THS (@__ths__) 15. Mai 2017
this new driver removes the key logger completely, the registry thing won't work anymore. They have published this support document with a list of affected machines and driver download links. But no words so far, what the update will do.
Ok, it seems that my first assumption mentioned above was right, but the 2nd assumption hasn't proven as false. Why: Because they don't inform Thorsten Schröder about their temporary first solution – and the don't mention the changes within the driver versions (no word about the keylogger as far as I've seen) – not professional.
