Audio Driver in HP Laptops Acts as Keylogger, Fix Available

HP laptops sporting an audio driver developed by audio chip maker Conexant were found recording all user keystrokes in an unencrypted file.

Security researchers found that some HP laptops are shipped with an audio driver that can record all keyboard activity and store the information locally and unencrypted in a file on the computer’s hard drive. While they believe that this was not an intended “feature” of the audio drive, it does raise serious security concerns as cybercriminals could leverage the existence of the file to gain access to sensitive information, such as passwords, authentication credentials, or any other data.

The driver’s original purpose was to “listen” for the activation of specific keys, but a debugging feature built into it allows for all keystrokes to be logged and saved in an unencrypted file, within a public directory. As a result anyone with local or remote access to the computer can view the complete history of keystroke activities.

“This type of debugging turns the audio driver effectively into keylogging spyware,” wrote the Swiss security researcher. “On the basis of meta-information of the files, this keylogger has already existed on HP computers since at least Christmas 2015.”

Although chip maker Conexant has yet to issue any statement on the matter, HP did state they’re aware of the situation and that the debugging feature implemented by the software developer should have not been included in the final shipping of the product.

“Our supplier partner developed software to test audio functionality prior to product launch and it should not have been included in the final shipped version,” said HP in a statement.

“HP has no access to customer data as a result of this issue. We have identified a fix and will make it available to our customers,” according to the company.

Damaged devices include HP Elitebook, Probook and Zbook laptops running Windows 7 or 10, but a full list of affected HP products can be found here. The unintended “feature” has already been assigned a CVE (CVE-2017-8360).

Users suspecting they may have the Conexant driver installed on their system can search for it themselves and remove it, along with the keylogging log file. Removing the MicTray.exe file (from the following locations: “C:WindowsSystem32” or” C:WindowsSystem32”) and the MicTray.log file, located in “C:UsersPublic” will remove the keylogging “feature” of the driver.

HP has already issued a publicly available fix for the problem, available via Windows Update or from HP’s official website, addressing device models starting with 2016. For 2015 models, the fix will be available this week.

Leave a Reply