H/t @Liberationtech @twitter https://twitter.com/Liberationtech/status/862849917806661634 > > The audio driver installed on some HP laptops includes a feature that > could best be described as a keylogger, which records all the user's > keystrokes and saves the information to a local file, accessible to > anyone or any third-party software or malware that knows where to look. > > Swiss cyber-security firm modzero discovered the keylogger on April 28 > and made its findings public today. > Keylogger found in preinstalled audio driver > > According to researchers, the keylogger feature was discovered in the > Conexant HD Audio Driver Package version 1.0.0.46 and earlier. > > This is an audio driver that is preinstalled on HP laptops. One of the > files of this audio driver is MicTray64.exe > (C:\windows\system32\mictray64.exe). > > This file is registered to start via a Scheduled Task every time the > user logs into his computer. According to modzero researchers, the > file "monitors all keystrokes made by the user to capture and react to > functions such as microphone mute/unmute keys/hotkeys." > > This behavior, by itself, is not a problem, as many other apps work > this way. The problem is that this file writes all keystrokes to a > local file at: > > C:\users\public\MicTray.log > > Audio driver also exposes keystrokes in real-time via local API > > If the file doesn't exist or a registry key containing this file's > path does not exist or was corrupted, the audio driver will pass all > keystrokes to a local API, named the OutputDebugString API. > > The danger is that malicious software installed on the computer, or a > person with physical access to the computer, can copy the log file and > have access to historical keystroke data, from where he can extract > passwords, chat logs, visited URLs, source code, or any other > sensitive data. > > Furthermore, the OutputDebugString API provides a covert channel for > malware to record real-time keystrokes without using native Windows > functions, usually under the watchful eye of antivirus software. > Keylogger feature confirmed in HP laptops > > Modzero researchers said they found the Conexant HD Audio Driver > Package preinstalled on 28 HP laptop models. Other hardware that uses > this driver may also be affected, but investigators haven't officially > confirmed that the issue affects other manufacturers. > > HP EliteBook 820 G3 Notebook PC > HP EliteBook 828 G3 Notebook PC > HP EliteBook 840 G3 Notebook PC > HP EliteBook 848 G3 Notebook PC > HP EliteBook 850 G3 Notebook PC > HP ProBook 640 G2 Notebook PC > HP ProBook 650 G2 Notebook PC > HP ProBook 645 G2 Notebook PC > HP ProBook 655 G2 Notebook PC > HP ProBook 450 G3 Notebook PC > HP ProBook 430 G3 Notebook PC > HP ProBook 440 G3 Notebook PC > HP ProBook 446 G3 Notebook PC > HP ProBook 470 G3 Notebook PC > HP ProBook 455 G3 Notebook PC > HP EliteBook 725 G3 Notebook PC > HP EliteBook 745 G3 Notebook PC > HP EliteBook 755 G3 Notebook PC > HP EliteBook 1030 G1 Notebook PC > HP ZBook 15u G3 Mobile Workstation > HP Elite x2 1012 G1 Tablet > HP Elite x2 1012 G1 with Travel Keyboard > HP Elite x2 1012 G1 Advanced Keyboard > HP EliteBook Folio 1040 G3 Notebook PC > HP ZBook 17 G3 Mobile Workstation > HP ZBook 15 G3 Mobile Workstation > HP ZBook Studio G3 Mobile Workstation > HP EliteBook Folio G1 Notebook PC > > The Conexant HD Audio Driver Package has versions for the following > operating systems. > > Microsoft Windows 10 32-Bit > Microsoft Windows 10 64-Bit > Microsoft Windows 10 IOT Enterprise 32-Bit (x86) > Microsoft Windows 10 IOT Enterprise 64-Bit (x86) > Microsoft Windows 7 Enterprise 32 Edition > Microsoft Windows 7 Enterprise 64 Edition > Microsoft Windows 7 Home Basic 32 Edition > Microsoft Windows 7 Home Basic 64 Edition > Microsoft Windows 7 Home Premium 32 Edition > Microsoft Windows 7 Home Premium 64 Edition > Microsoft Windows 7 Professional 32 Edition > Microsoft Windows 7 Professional 64 Edition > Microsoft Windows 7 Starter 32 Edition > Microsoft Windows 7 Ultimate 32 Edition > Microsoft Windows 7 Ultimate 64 Edition > Microsoft Windows Embedded Standard 7 32 > Microsoft Windows Embedded Standard 7E 32-Bit > > HP did not respond to a request for comment from Bleeping Computer in > time for this article's publication. > > Here's how to Check for and Remove the HP MicTray64 Keylogger... >
BleepingComputer: https://www.bleepingcomputer.com/news/security/keylogger-found-in-audio-driver-of-hp-laptops/