HP laptops found to have hidden keylogger (opens in new tab)

(bbc.co.uk)

368 pointsnef8y ago57 comments

57 comments

Previous discussion: https://news.ycombinator.com/item?id=15885206

jchw8y ago

So... This has ballooned from debug code with no evidence of ever being maliciously used to "loss of confidentiality" and now instead of being a keylogger it's a "hidden keylogger."

Dramatic tone change for no actual new news. Sure this is getting the person's blog attention, but now I'm certain I don't agree with the alarmist title of the original post.

kbutler8y ago

And the assertion that "an attacker with access to the computer could have enabled it to record what a user was typing" is somewhat silly.

If the attacker has access to the computer, why not install some other key logger that would send info to the attacker's site?

julianj8y ago

I agree that the someone having access to run arbitrary code on a machine is a much bigger deal. In this case, the difference between this debugging feature and an installed keylogger is the use of trusted software to perform the keylogging. When the mictray issue came out earlier this year, I ran across a blog post you may find interesting [1]. To summarize, the author repurposed the HP executable to log keys to a remote server using webdav.

[1] https://diablohorn.com/2017/05/12/repurposing-the-hp-audio-k...

1 more reply

Someone12348y ago

Claiming that an attacker would use this is nonsensical.

You need write access HKLM in order to change the registry key, if you have write access to HKLM you can inject your own driver (inc. keylogger) into the OS.

Plus the keypresses are context-less (i.e. you don't know what application, or window the keypress was sent to). A continuous stream of keypresses with no context is darn near useless, it doesn't even contain timestamps!

Any number of off-the-shelf keyloggers would do a far better job, all of which can be auto-loaded if you have HKLM write access. They'll even tell you the exact web page a keypress was sent to and manage the job of sending that information to you...

3 more replies

icebraining8y ago

Or as Raymond Chen is fond of saying (citing from the Hitchhikers Guide), "It rather involved being on the other side of this airtight hatchway".

sandworm1018y ago

>> why not install some other key logger that would send info to the attacker's site?

Because one would assume that this software/driver has been signed and would not be recognized as evil by any protection system, at least not one on the laptop.

jgalt2128y ago

and get their ssh keys while you're at it.

acqq8y ago

The previous one in the audio(!) drivers was as bad as it could have been:

https://www.bleepingcomputer.com/news/security/keylogger-fou...

"writes all keystrokes to a local file at:

C:\users\public\MicTray.log"

Note: Public folder! All keystrokes. Discovered May 2017, preinstalled on 28 HP laptop models. Other hardware that uses this driver may also be affected.

Edit, to the other commenters in other threads: please don't mix them, there are two "keyloggers." The one in the audio(!) driver was always on, recording by default to the publicly accessible file, as seen here.

The one in the new news is a code in the keyboard driver that can be turned on (and here it's important to know if the switch is publicly accessible) but isn't on by default. Depending on how that one is turned on and where the result is logged, it can be not worthy to worry too much. But these details also matter.

jchw8y ago

Unlike this one, it even looks like the audio driver exploit is on by default. Much stranger. Guess HP developers aren't very clean with their release process.

radarsat18y ago

Okay so reading the comments here makes me feel a bit more at ease, but honestly after reading the article I was literally like, "why the hell would the AUDIO driver need to monitor key strokes.." It really sounded like a deliberate installation of a hidden keylogger. I am glad to read that perhaps it is not, but damn sloppy.

astura8y ago

Listening for function key presses, I would imagine.

Every laptop I've ever had allowed volume control with function keys.

Disclaimer: it's been over a decade since I've done applications development and I've never done driver development.

1 more reply

Someone12348y ago

To test hotkeys during development.

k3a8y ago

We already lost control over HW and SW. There are often malicious functionalities in binary software and our 'hardware' can't be trusted either (Intel ME, AMD PSP, firmwares, bioses). Some time ago, firmware in a notebook used to install drivers into windows during boot without user knowing that. We are dependent on technology and we don't seem to care about security much, other than buying some magical binary blobs called Antivirus and Cleaners.

jhiska8y ago

One can also argue that the comments in response to the different phrasings of the same news de-escalated from "this is very serious" to your comment's "this is actually not news."

There are always contrarians, and in this case the comment-section contrarians ended up amusingly contradicting themselves.

seanwilson8y ago

"He said the keylogger was disabled by default, but an attacker with access to the computer could have enabled it to record what a user was typing.

According to HP, it was originally built into the Synaptics software to help debug errors."

How bad is this really then? If an attacker could enable it, they could install another key logger anyway if this feature didn't exist? Can HP enable it remotely (I'm guessing not)?

Someone12348y ago

Exactly. You need administrator to enable this, and you need administrator to install a different keylogger. So then the question becomes: Why use this? Well, an attacker wouldn't but the press doesn't know anything about tech' so, this fact escapes them. This is like science reporting all over again...

If you have HP's update agent installed, HP are able to install drivers, so all bets are off as far as what HP could do to your machine. They could enable this via the update agent, but even assuming worst motivations there are a tens of better commercial keyloggers HP would use before this.

This debug functionality likely shouldn't be shipping in retail versions of the driver (defence in depth, etc) and should be removed. But there's a ton of misinformation surrounding this bug which is frustrating, the actual security community are already bored of this one.

gruez8y ago

>you need administrator to install a different keylogger

nope. you need administrator if you want to install for all users, but there's nothing preventing a user from keylogging himself.

1 more reply

raisedbyninjas8y ago

HPSynapticsdriver.dll is probably on antivirus whitelists and signed with a reputable certificate whereas a random keylogger would not.

1 more reply

donatj8y ago

Less of a big deal than they’re trying to make it out to be, it’s disabled by default and a leftover debugging tool.

crankylinuxuser8y ago

Yeah, that's the problem with zombie code. You can have articles like this, especially when companies like Lenovo did spy on people with all sorts of bios->OS infecting spyware and MITM SSL tricks.

If it's a binary and potentially readable, they probably shouldn't include the code switch to enable it. Better it never be in there to begin with.

But yeah, if it's disabled by default and looks like a debugging tool, it probably is.

mtgx8y ago

Twice in the same year?

http://www.tomshardware.com/news/hp-keylogger-debugging-tool...

How many of these "debugging tools" has HP left enabled, I wonder?

moreless8y ago

It's not enabled. And someone with access to your computer can just install their own keylogger anyway, so why is this even a security threat?

1 more reply

13of408y ago

There are key loggers and Key Loggers. If you need admin rights to enable it and it saves the keystrokes locally, then you probably shouldn't care. Anyone with that level of access can install something worse.

_jal8y ago

The salient variable when it comes to key loggers is knowledge of its existence.

Klathmon8y ago

"keylogger" has become one of those loaded words for me that I basically ignore whenever I read.

You can make any piece of software that takes user input sound like a "keylogger" with the right wording, that the word has basically lost all meaning.

caio19828y ago

It still is a keylogger in a consumer product.

ballenf8y ago

So is Notepad.

3 more replies

djsumdog8y ago

At least with a PC, it's relatively easy to put in a fresh install, either Windows or some other operating system, which everyone in tech should do considering the recent HP/Lenovo issues (although I'm not sure if it would help I this situation if this particular exploit was in the official drivers).

It's considerably harder with phones, with all of them running non standard, non upstreamable kernels, and consumers not really having alternative OSes like we do with PCs.

tga8y ago

Most PCs come without Windows installation media and instead rely on a restore partition (keylogger included). If you try to install off random other media (e.g. MSDN), it will not recognize the OEM license that comes with the computer.

Because of this, there is no trivial way (edit: OK, without buying Windows again) to get a vanilla install including only the Microsoft keylogger, but not the HP one.

pnutjam8y ago

Not true, you can reinstall the same version and it will pick up the licensing from the BIOS. You can even extract the key from the BIOS to use on a VM (same hardware) if your running linux.

It's even very easy to get the install media direct from Windows, not like back in XP days.

https://www.microsoft.com/en-us/software-download/windows10I...

1 more reply

dragonwriter8y ago

There's a trivial way, it's just not zero added cost if your PC was bundled with Windows: buy a retail version of Windows.

Erlich_Bachman8y ago

If you really want to help this cause, you might wanna look at Librem 5 phone (https://puri.sm/shop/librem-5/). They are making an open hardware Phone with a fully open-source OS based on Linux (debian).

_0w8t8y ago

If the driver is not written by Microsoft, that new Windows installation will downloads it and quite likely it will be same HP driver with keylogger.

oeuviz8y ago

Just makes me support OSS drivers more. Imagine what damage could be done with hidden code in GPU drivers nowadays.

mtgx8y ago

1 more reply

muxator8y ago

To me, this is one more reason to never use the default install of an operating system.

In this specific case, if the debugging "leftovers" were part of the official drivers, then I would say there is a good indication towards preferring a free OS.

swarnie_8y ago

Is this old news? I remember an audio driver (maybe?) causing a similar issue 6-9 months ago.

I worked for a HP reseller at the time and could replication the issue on almost every model in our labs

loerres8y ago

Well, Synaptics Touchpad Drivers always sucked. "Windows Precision Touchpad" is pretty good but not quite on Apples level.

tonylemesmer8y ago

previous https://news.ycombinator.com/item?id=14314795

ryanlol8y ago

Why does obvious bullshit like this get so much visibility?

Why not "Windows found to have hidden keylogger", it also ships with functionality that allows you to capture keystrokes if you so insist?

j / k navigate · click thread line to collapse

57 comments

esnard8y ago

Previous discussion: https://news.ycombinator.com/item?id=15885206

jchw8y ago

So... This has ballooned from debug code with no evidence of ever being maliciously used to "loss of confidentiality" and now instead of being a keylogger it's a "hidden keylogger."

Dramatic tone change for no actual new news. Sure this is getting the person's blog attention, but now I'm certain I don't agree with the alarmist title of the original post.

kbutler8y ago

And the assertion that "an attacker with access to the computer could have enabled it to record what a user was typing" is somewhat silly.

If the attacker has access to the computer, why not install some other key logger that would send info to the attacker's site?

julianj8y ago

[1] https://diablohorn.com/2017/05/12/repurposing-the-hp-audio-k...

1 more reply

Someone12348y ago

Claiming that an attacker would use this is nonsensical.

You need write access HKLM in order to change the registry key, if you have write access to HKLM you can inject your own driver (inc. keylogger) into the OS.

3 more replies

icebraining8y ago

Or as Raymond Chen is fond of saying (citing from the Hitchhikers Guide), "It rather involved being on the other side of this airtight hatchway".

sandworm1018y ago

>> why not install some other key logger that would send info to the attacker's site?

Because one would assume that this software/driver has been signed and would not be recognized as evil by any protection system, at least not one on the laptop.

jgalt2128y ago

and get their ssh keys while you're at it.

acqq8y ago

The previous one in the audio(!) drivers was as bad as it could have been:

https://www.bleepingcomputer.com/news/security/keylogger-fou...

"writes all keystrokes to a local file at:

C:\users\public\MicTray.log"

Note: Public folder! All keystrokes. Discovered May 2017, preinstalled on 28 HP laptop models. Other hardware that uses this driver may also be affected.

jchw8y ago

Unlike this one, it even looks like the audio driver exploit is on by default. Much stranger. Guess HP developers aren't very clean with their release process.

radarsat18y ago

astura8y ago

Listening for function key presses, I would imagine.

Every laptop I've ever had allowed volume control with function keys.

Disclaimer: it's been over a decade since I've done applications development and I've never done driver development.

1 more reply

Someone12348y ago

To test hotkeys during development.

k3a8y ago

jhiska8y ago

One can also argue that the comments in response to the different phrasings of the same news de-escalated from "this is very serious" to your comment's "this is actually not news."

There are always contrarians, and in this case the comment-section contrarians ended up amusingly contradicting themselves.

seanwilson8y ago

"He said the keylogger was disabled by default, but an attacker with access to the computer could have enabled it to record what a user was typing.

According to HP, it was originally built into the Synaptics software to help debug errors."

How bad is this really then? If an attacker could enable it, they could install another key logger anyway if this feature didn't exist? Can HP enable it remotely (I'm guessing not)?

Someone12348y ago

gruez8y ago

>you need administrator to install a different keylogger

nope. you need administrator if you want to install for all users, but there's nothing preventing a user from keylogging himself.

1 more reply

raisedbyninjas8y ago

HPSynapticsdriver.dll is probably on antivirus whitelists and signed with a reputable certificate whereas a random keylogger would not.

1 more reply

donatj8y ago

Less of a big deal than they’re trying to make it out to be, it’s disabled by default and a leftover debugging tool.

crankylinuxuser8y ago

Yeah, that's the problem with zombie code. You can have articles like this, especially when companies like Lenovo did spy on people with all sorts of bios->OS infecting spyware and MITM SSL tricks.

If it's a binary and potentially readable, they probably shouldn't include the code switch to enable it. Better it never be in there to begin with.

But yeah, if it's disabled by default and looks like a debugging tool, it probably is.

mtgx8y ago

Twice in the same year?

http://www.tomshardware.com/news/hp-keylogger-debugging-tool...

How many of these "debugging tools" has HP left enabled, I wonder?

moreless8y ago

It's not enabled. And someone with access to your computer can just install their own keylogger anyway, so why is this even a security threat?

1 more reply

13of408y ago

_jal8y ago

The salient variable when it comes to key loggers is knowledge of its existence.

Klathmon8y ago

"keylogger" has become one of those loaded words for me that I basically ignore whenever I read.

You can make any piece of software that takes user input sound like a "keylogger" with the right wording, that the word has basically lost all meaning.

caio19828y ago

It still is a keylogger in a consumer product.

ballenf8y ago

So is Notepad.

3 more replies

djsumdog8y ago

It's considerably harder with phones, with all of them running non standard, non upstreamable kernels, and consumers not really having alternative OSes like we do with PCs.

tga8y ago

Because of this, there is no trivial way (edit: OK, without buying Windows again) to get a vanilla install including only the Microsoft keylogger, but not the HP one.

pnutjam8y ago

Not true, you can reinstall the same version and it will pick up the licensing from the BIOS. You can even extract the key from the BIOS to use on a VM (same hardware) if your running linux.

It's even very easy to get the install media direct from Windows, not like back in XP days.

https://www.microsoft.com/en-us/software-download/windows10I...

1 more reply

dragonwriter8y ago

There's a trivial way, it's just not zero added cost if your PC was bundled with Windows: buy a retail version of Windows.

Erlich_Bachman8y ago

_0w8t8y ago

If the driver is not written by Microsoft, that new Windows installation will downloads it and quite likely it will be same HP driver with keylogger.

oeuviz8y ago

Just makes me support OSS drivers more. Imagine what damage could be done with hidden code in GPU drivers nowadays.

mtgx8y ago

1 more reply

muxator8y ago

To me, this is one more reason to never use the default install of an operating system.

In this specific case, if the debugging "leftovers" were part of the official drivers, then I would say there is a good indication towards preferring a free OS.

swarnie_8y ago

Is this old news? I remember an audio driver (maybe?) causing a similar issue 6-9 months ago.

I worked for a HP reseller at the time and could replication the issue on almost every model in our labs

loerres8y ago

Well, Synaptics Touchpad Drivers always sucked. "Windows Precision Touchpad" is pretty good but not quite on Apples level.

tonylemesmer8y ago

previous https://news.ycombinator.com/item?id=14314795

ryanlol8y ago

Why does obvious bullshit like this get so much visibility?

Why not "Windows found to have hidden keylogger", it also ships with functionality that allows you to capture keystrokes if you so insist?

j / k navigate · click thread line to collapse