{"id":2861,"date":"2017-05-16T10:14:19","date_gmt":"2017-05-16T08:14:19","guid":{"rendered":"http:\/\/borncity.com\/win\/?p=2861"},"modified":"2024-10-05T23:21:02","modified_gmt":"2024-10-05T21:21:02","slug":"the-hp-conexant-audio-driver-stop-key-logger-placebo-update","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2017\/05\/16\/the-hp-conexant-audio-driver-stop-key-logger-placebo-update\/","title":{"rendered":"The HP Conexant audio driver &lsquo;stop keylogger&rsquo; placebo update"},"content":{"rendered":"<p>[<a href=\"http:\/\/www.borncity.com\/blog\/2017\/05\/16\/das-hp-audiotreiber-keylogger-placebo-update\/\" target=\"_blank\" rel=\"noopener noreferrer\">German<\/a>]A few days ago I've reported about a key logger within HP's Conexant audio drivers for several devices. HP claimed this key logger has been left accidentally within the driver and offered quickly an update to 'remove' the key logger. But what would you think, if the key logger hasn't removed? <strong>Addendum:<\/strong> A 2nd update has changed the situation again.<\/p>\n<p><!--more--><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ssl-vg03.met.vgwort.de\/na\/164cf74b4d2b413da11f2bf91c7e0a89\" alt=\"\" width=\"1\" height=\"1\" \/>Recently I 've learned, we are living in an age of 'alternative facts &amp; fake news'. And from movies I learned that there ist a 'good cop, bad cop' game. Media has applauded HP for their quick update for the audio driver. But we have to have a closer look.<\/p>\n<h3>What's the matter?<\/h3>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ssl-vg03.met.vgwort.de\/na\/e341cc5a4bea418e95e0f68770288bb1\" alt=\"\" width=\"1\" height=\"1\" \/>Some HP notebooks with Conexant audio chips (see the list within <a href=\"https:\/\/web.archive.org\/web\/20191009140227\/https:\/\/www.modzero.ch\/advisories\/MZ-17-01-Conexant-Keylogger.txt\" target=\"_blank\" rel=\"noopener noreferrer\">this Security Advisory<\/a>) has been shipped since 2015 with a 'special' audio driver. This driver contains a key logger, writing all keystroke into a text file located at:<\/p>\n<p><em>C:\\Users\\Public\\MicTray.log<\/em><\/p>\n<p>Security researcher <a href=\"https:\/\/web.archive.org\/web\/20180824162630\/https:\/\/www.modzero.ch\/en\/about.html\" target=\"_blank\" rel=\"noopener noreferrer\">Thorsten Schr\u00f6der<\/a> detected this key logger within the audio driver during a security audit for a customer on a HP driver package. I've written about this topic within my blog post <a href=\"https:\/\/borncity.com\/win\/2017\/05\/11\/hp-notebooks-keylogger-in-conexants-audio-driver\/\">HP Notebooks: Keylogger in Conexant's audio driver<\/a>.<\/p>\n<p>HP says, the key logger should have never been shipped and left accidentally within the driver. The company offers immediately a driver update, that is believed to remove the key logger.<\/p>\n<h3>The direction light problem: on, off, on, off ported to a key logger \u2026<\/h3>\n<p>Probably HP's management and the driver developers has been under a great time pressure. So they took the lection from 'alternative facts' and offered an update to remove logging keystrokes into the text files. But it seems only a placebo, as security analyst <a href=\"https:\/\/web.archive.org\/web\/20180824162630\/https:\/\/www.modzero.ch\/en\/about.html\" target=\"_blank\" rel=\"noopener noreferrer\">Thorsten Schr\u00f6der<\/a> found out and reported within this tweet:<\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"de\">\n<p dir=\"ltr\" lang=\"en\"><a href=\"https:\/\/twitter.com\/hashtag\/HP?src=hash\">#HP<\/a> did not remove the <a href=\"https:\/\/twitter.com\/hashtag\/keylogger?src=hash\">#keylogger<\/a> functions in new version. Simply turn it on by setting SeeScanCode and EnableLog = 1 in Windows Registry. <a href=\"https:\/\/t.co\/321uLSDP7s\">pic.twitter.com\/321uLSDP7s<\/a><\/p>\n<p>\u2014 THS (@__ths__) <a href=\"https:\/\/twitter.com\/__ths__\/status\/863324677019770880\">13. Mai 2017<\/a><\/p><\/blockquote>\n<p><script async src=\"\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Uh, the key logger hasn't been removed, they just deactivated it via registry DWORD entries <em>SeeScanCode=1<\/em> and <em>EnableLog = 1<\/em>. Schr\u00f6der doesn't mentioned the registry key in detail, but we could ask the sysinternals tool Procmon for details. But it seems that isn't necessary. According to <a href=\"https:\/\/diablohorn.com\/2017\/05\/12\/repurposing-the-hp-audio-key-logger\/\" target=\"_blank\" rel=\"noopener noreferrer\">this article<\/a>, the search should go to key:<\/p>\n<p><em>HKEY_CURRENT_USER\\Software\\Conexant\\<\/em><\/p>\n<p>and probably to the HKLM pendant. The HKCU entry may be changed without administrator permissions.<\/p>\n<h3>Final thoughts<\/h3>\n<p>The folks at HP\/Conexant must be in a great hurry, or they are just stupid. HP has been catched with its finger in a honey pot again. We just learned the WannyCry backdoor debacle the hard way \u2013 and now we have another backdoor. Enabling this key logger to report all keystroke remotely is not difficult, as you can read within <a href=\"https:\/\/diablohorn.com\/2017\/05\/12\/repurposing-the-hp-audio-key-logger\/\" target=\"_blank\" rel=\"noopener noreferrer\">this article<\/a>.<\/p>\n<h3>Addendum: A 2nd update removed the key logger<\/h3>\n<p>HP has released another update for the\u00a0Conexant HD Audio Driver on impacted machines. According to German IT site<a href=\"https:\/\/www.heise.de\/newsticker\/meldung\/HP-entfernt-Keylogger-vollstaendig-aus-Audiotreiber-3714808.html\" target=\"_blank\" rel=\"noopener noreferrer\"> heise.de<\/a>, and this tweet:<\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"de\">\n<p dir=\"ltr\" lang=\"en\">Aaaaaand it's gone&#8230; \/\/ cc <a href=\"https:\/\/twitter.com\/pHiPs209\">@pHiPs209<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/hp?src=hash\">#hp<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/conexant?src=hash\">#conexant<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/keylogger?src=hash\">#keylogger<\/a> <a href=\"https:\/\/t.co\/6tN3dwTnGU\">pic.twitter.com\/6tN3dwTnGU<\/a><\/p>\n<p>\u2014 THS (@__ths__) <a href=\"https:\/\/twitter.com\/__ths__\/status\/864142890121007106\">15. Mai 2017<\/a><\/p><\/blockquote>\n<p><script async src=\"\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>this new driver removes the key logger completely, the registry thing won't work anymore. They have published <a href=\"https:\/\/web.archive.org\/web\/20240310024345\/https:\/\/support.hp.com\/us-en\/document\/c05519670\" target=\"_blank\" rel=\"noopener noreferrer\">this support document<\/a>\u00a0with a list of affected machines and driver download links. But no words so far, what the update will do.<\/p>\n<p>Ok, it seems that my first assumption mentioned above was right, but the 2nd assumption hasn't proven as false. Why: Because they don't inform\u00a0<a href=\"https:\/\/web.archive.org\/web\/20180824162630\/https:\/\/www.modzero.ch\/en\/about.html\" target=\"_blank\" rel=\"noopener noreferrer\">Thorsten Schr\u00f6der<\/a>\u00a0about their temporary first solution &#8211; and the don't mention the changes within the driver versions (no word about the keylogger as far as I've seen) &#8211; not professional.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]A few days ago I've reported about a key logger within HP's Conexant audio drivers for several devices. HP claimed this key logger has been left accidentally within the driver and offered quickly an update to 'remove' the key logger. &hellip; <a href=\"https:\/\/borncity.com\/win\/2017\/05\/16\/the-hp-conexant-audio-driver-stop-key-logger-placebo-update\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[448,580,22],"tags":[830,536,414,69,195],"class_list":["post-2861","post","type-post","status-publish","format-standard","hentry","category-devices","category-security","category-update","tag-conexant","tag-driver","tag-hp","tag-security","tag-update"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/2861","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=2861"}],"version-history":[{"count":1,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/2861\/revisions"}],"predecessor-version":[{"id":36035,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/2861\/revisions\/36035"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=2861"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=2861"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=2861"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}