HP leaves random keylogger in laptop keyboard driver

Debugging code remaining in the software is often a security issue that is pending. This is because the debugging code is usually entered when you need an “insider view” of what is happening.

Debugging functions often create deliberate security holes to avoid data leaks — which is normal in your own test environment, but not acceptable in the official release of a product. Thus, you must not only delete the debugging code when it is no longer needed (code that does not may be included by mistake!), but also organize your production assemblies in such a way that any debugging code that remains in error is dropped or automatically disabled when compiling software.

Vulnerabilities

The infamous Internet worm of 1988 had three tricks to copy; The simplest and most effective of them was connecting to your mail server in the hope that your system administrator would leave debugging enabled in the Sendmail product.
If Sendmail debugging has been enabled, the server will receive incoming e-mail messages and launch them directly as a series of system commands — a kind of debugging tool that does not make sense outside a controlled lab environment.

Dlink did something equally dangerous on some of its latest routers: if you declared your browser under the strange name xmlset_roodkcableoj28840ybtide, instead of, say, Firefox or Safari, then you can run any sysadmin command on the router without knowing the password.
')
Reversing this particular “ roodk cable oj ” spell in the opposite direction makes the mistake obvious: the text string Edit by 04882 Joel: Backdoor is read in reverse order. A few years ago, HP's LaserJet printers failed because the telnet shell, which was open for debugging in the production code, was left on the delivery printers.

The open telnet shell means that any user can simply connect to the device and gain access to the command line to use the printer on their own, without requiring special software or a password.

According to security researcher Michael Ming, HP made another debugging code in the release version, with the result that the intentionally created keylogger was built into the keyboard driver on a number of HP laptop models. Ming said that he began to study it to help a friend who wanted to figure out how to control the keyboard backlight. He noticed a bunch of text lines, including intriguing messages like this:

ulScanCode=0x%02X, kKeyFlags=%X CPalmDetect::KeyboardHookCallback 

Do not worry if you are not a C programmer: all you need to know is that these messages notify that there is some kind of keyboard interceptor in the code and that the program can support the recording of scancodes (the identification numbers of the individual keystrokes on based on their position on the keyboard) as you type.

It did not help. Mingu had to dig a lot more to realize that by installing a special registry entry called Mask, he could run a driver to record every keystroke through the official Windows registry system called WPP. WPP is not suitable for Windows software preprocessor, and

Microsoft officially announces that:

WPP software tracing is primarily intended for debugging code during development.

In other words,

 CPalmDetect :: KeyboardHookCallback 

which we saw above should not work. Fortunately, Ming reports that:

I sent a message about the discovery of the company itself. They responded very quickly, confirmed the presence of keylogger (which was actually a debug trace), and released an update that removes the trace.

Please note that you would need to have administrator privileges to complete the registry settings necessary to run this “keylogger”, so the risk can be considered low.

However, for a hacker who already has a bridgehead within your network, setting up an entry in the registry to capture keystrokes using the official, digitally signed keyboard driver is much easier than messing with the driver software itself or trying to install a new driver to execute this work.

What to do?

1. If you have a vulnerable HP computer, install the update now. (Note: There are more than 450 different models on the HP official list, from the HP 240 G2 to the Star Wars Special Edition 15-an000 laptop.)
2. If you are a programmer, do not leave debugging code.
3. If you are a quality tester, don’t trust programmers when they assure you that this debugging code is harmless and can remain.

Source: here