For two years, drivers for sound cards in HP laptops have come with a built-in keylogger

HP sells a wide variety of hardware, including several dozen models of laptops and tablets. As it turned out, the drivers that are supplied by the company for their devices contain an integrated keylogger. We are talking about drivers for the sound card. The keylogger captures all keystrokes of the user and stores the data in an encrypted file on the hard disk of the computer.

This is not the development of cybercriminals, but quite official software. The manufacturer of the driver in question is not HP itself, but its partner, the Conexant audio chip supplier. One of the driver components, the MicTray64.exe item, performs tracking and recording of the keystrokes of a computer user or laptop with a driver installed.

Actually, the component in question monitors user keystrokes in order to catch a special combination of buttons. We are talking about the so-called "hot keys", which are used to control the driver and sound parameters. But the fact that the component does nothing badly does not negate the fact that it is a pure keylogger. “This way of working turns the sound driver into an effective keylogger,” said a representative of the Swiss company Modzero. Moreover, the component in question has become part of the sound driver since the end of 2015. It turns out that for about two years, sound drivers for HP laptops have come with an integrated official keylogger.
')
The file where the keyboard button presses are written is located at C: \ Users \ Public \ MicTray.log (you can check for the presence of this file if you have an HP laptop). Its contents are overwritten every time you restart the PC. But there are many options when the system does not reset the file. In addition, if archiving is configured on Windows, MicTray.log with all the data is saved in the archive. If desired, you can easily find and view the contents.


“Conexant's MicTray64.exe is installed with the Conexant audio sound driver, and the Windows scheduler starts it when the system boots and then logs in to the user. The program logs all keystrokes that the user performs and responds when registering a certain combination ... If the MicTray.log file is not in the system, all keystrokes are transferred to the OutputDebugString API, which allows you to receive this information to any process, and for antivirus software all this is not suspicious actions. In the version of the keystroke registration file 10.0.0.31 and the data transfer, it was used only with the OutputDebugString function without writing to the file, ”says the published analysis of the HP audio driver from Modzero.

According to cybersecurity experts, this component of the audio driver easily allows an attacker to obtain user data. Yes, the contents of the file are encrypted, but recovering data from a file is a snap. HP notebook users are generally not aware of the fact that their data is written to the file in such a simple way. And for the keylogger, there is no difference in what kind of data this is - coursework or access to an account in a bank.

There are tremendous opportunities for intruders. You can somehow steal a file with saved clicks. And you can create software that will connect to the driver API for saving and subsequent transfer of information, which was discussed above.

The HP notebook lineup includes the HP EliteBooks, HP ProBooks, HP ZBooks, and HP Elites series. It may well be that the problem is relevant not only for HP laptops, but in general for all devices with Conexant chips. You can check your system by viewing the files in the following locations: C: \ Windows \ System32 \ MicTray.exe or C: \ Windows \ System32 \ MicTray64.exe. While it is precisely known that the problem persists for a number of models:


As for HP, its representatives have already familiarized themselves with the problem and said that employees will eliminate the problem soon. "We found a solution and make it available to our users," the company said.

HP is not the only manufacturer and supplier of laptops whose software contains problem items. In 2015, the problem of laptop software from Lenovo became known . Keyloggers were not there, but almost all the machines installed the Superfish program, which analyzed user traffic, studied pictures of goods and inserted advertisements of these goods from third-party stores into the browser. Moreover, such advertising was inserted even in Google search results.



In the same 2015, it was discovered that the security certificate pre-installed on the operating system of the Dell XPS 15 laptops is unreliable. The fact is that the key and password of this certificate is the same for all notebooks of this model.

It can be assumed that in reality there are a lot of problems with the software vulnerability of the electronic devices delivered to the market, and the information security specialists find only a small number of problem areas. As a result, vulnerabilities can remain open for years, and cybercriminals are already taking advantage of this.