HP audio driver package comes with a built-in keylogger
ModZero security researchers have uncovered an unexpected behavior in an HP audio driver. The package, which is offered by the electronics maker through its website, secretly registers "all keyboard input," effectively working as a keylogger. Question is, is this a bug or a feature?
It is not abnormal for an audio driver to look for when certain keys are pressed, as, for instance, if you press the volume down button on the keyboard the driver needs to intercept that keystroke so it does what you asked it to, but it is uncommon for one to cast such a wide net, and, as a result, put users' private information, like usernames, passwords, personal communication and so on, at risk.
The security researchers have not managed to determine who is to blame for the keylogger as, they say, the software "was developed and digitally signed by the audio chip manufacturer Conexant," which supplies audio chips for a large number of devices. HP may be just shipping what Conexant created, so there is no way of telling if it has any involvement, although that is a possibility.
The security researchers explain that "the purpose of the software is to recognize whether a special key has been pressed or released. Instead, however, the developer has introduced a number of diagnostic and debugging features to ensure that all keystrokes are either broadcasted through a debugging interface or written to a log file in a public directory on the hard-drive."
Apparently, the keylogger has been present on HP devices since December 2015 "at least." That is quite a long period of time for what is hopefully a bug to remain unpatched. What's more, a more recent version (1.0.0.46) creates a log file of all the key presses at C:\Users\Public\MicTray.log. That file is overwritten at startup, but there are ways to retrieve past versions if, for instance, you have regular backups of your HP device.
ModZero believes that there "is no evidence that this keylogger has been intentionally implemented," adding that "it is [obviously] a negligence of the developers." Neither HP nor Conexant have responded to its inquiries, so there is not much (if any) official information to go by here.
You can check to see if the aforementioned file exists, to see if you are affected. If you want to take action, ModZero recommends that you delete or rename the MicTray64 or MicTray program found in the System32 folder, under Windows, and delete the log file as well. The downside is that the multimedia keys may no longer work normally, but that may be a small price to pay to get rid of what is basically malware.
Photo Credit: Denis Belyaevskiy/Shutterstock