2017-05-16

[EN] Update: Keylogger in Hewlett-Packard Audio Driver

Eine Deutsche Version befindet sich hier – German version is located right here

On May 11th, we published information about a questionable function in an HP audio driver package. This function included a keylogger that has been implemented unintentionally by 3rd party vendor Conexant and was delivered by HP to its customers. In the meantime, HP has fixed the issue.

On the same day of our initial release, HP has released a new driver package. However, we were not as fast with checking the provided patches, but finally we had a quick look on the patches on May 13th.

Unfortunately, HP still did not try to get in touch with us, otherwise we could have contacted HP directly with information that the update still provides the keylogging functions.

The keylogger was still there and had to be activated only by a switch in the Windows Registry. Thus, it is basically just an additional line of program code necessary, to repurpose the MicTray64 program and turn it into a remotely key-logging malware, as described in this very recommendable article.

On May 14th, HP again released an update in which the questionable debugging features, which turned the software effectively into a keylogger, were removed.

Meanwhile, HP also contacted us, which we appreciate much. Finally, the keylogging thing in the HP audio driver package is no longer an issue. Hewlett-Packard has published its own security bulletin and we updated our Security Advisory at https://www.modzero.ch/advisories/MZ-17-01-Conexant-Keylogger.txt as well.


Posted by Thorsten Schroeder | Permanent link | File under: security, re, advisory