Over the past few years, we’ve seen some high profile security problems with laptops from Lenovo, Samsung, and Dell. HP, up until now, had managed to escape any serious issues. According to the Swiss infosec company ModZero, that’s changed, courtesy of a keylogger embedded (probably accidentally) into certain audio drivers used on HP laptops.
HP uses Conexant audio chips for some of its laptops, which means it also ships Conexant’s included software and drivers. Here’s how ModZero describes the problem:
Conexant also develops drivers for its audio chips, so that the operating system is able to communicate with the hardware. Apparently, there are some parts for the control of the audio hardware, which are very specific and depend on the computer model – for example special keys for turning on or off a microphone or controlling the recording LED on the computer. In this code, which seems to be tailored to HP computers, there is a part that intercepts and processes all keyboard input.
Actually, the purpose of the software is to recognize whether a special key has been pressed or released. Instead, however, the developer has introduced a number of diagnostic and debugging features to ensure that all keystrokes are either broadcast through a debugging interface or written to a log file in a public directory on the hard-drive.
This type of debugging turns the audio driver effectively into a keylogging spyware. On the basis of meta-information of the files, this keylogger has already existed on HP computers since at least Christmas 2015.
The keylogger is created by flaws in Conexant’s MicTray64.exe application. It’s designed to monitor keystrokes and respond to user input, probably to respond to commands to mute or unmute the microphone, or begin capturing information within an application. Unfortunately, it also writes out all keystroke data into a publicly accessible file located at C:UsersPublicMicTray.log. In the event that this log file does not exist, the keystrokes are passed to the OutputDebugString API, allowing any process to capture this information without being identified as a malicious program.
This behavior appears to have been introduced with version 126.96.36.199 of MicTray64. ModZero has also provided pseudo-code showing how the MicTray64 application captures data and outputs it to a log file or allows it to be captured, that information is available here.
Any application running in a user session that can monitor debug messages could be modified to log keystroke information based on the way MicTray64 is implemented. There’s no explanation for why Conexant implemented this function in such fashion and the ModZero team doesn’t think it’s intentional. But there’s also no way to fix the issue at this point in time, apart from possibly uninstalling all audio software from the system. Deleting the MicTray64.exe application would seem to work, but this could result in a non-functional microphone.
For now, ModZero recommends that users check for and delete or rename the MicTray64 and MicTray applications (located at C:WindowsSystem32). If you aren’t comfortable accessing protected file space within Windows, ask someone for help — mucking around in the System32 directory without knowing what you’re doing can destroy your OS installation.
HP, to date, has not released any information on how they intend to resolve this issue or made any public comment.