HP is selling more than two dozen models of laptops and tablets that covertly monitor every keystroke a user makes, security researchers warned Thursday. The devices then store the key presses in an unencrypted file on the hard drive.
The keylogger is included in a device driver developed by Conexant, a manufacturer of audio chips that are included in the vulnerable HP devices. That’s according to an advisory published by modzero, a Switzerland-based security consulting firm. One of the device driver components is MicTray64.exe, an executable file that allows the driver to respond when a user presses special keys. It turns out that the file sends all keystrokes to a debugging interface or writes them to a log file available on the computer’s C drive.
“This type of debugging turns the audio driver effectively into keylogging spyware,” modzero researchers wrote. “On the basis of meta-information of the files, this keylogger has already existed on HP computers since at least Christmas 2015.”
The log file—located at C:\Users\Public\MicTray.log—is overwritten after each computer reboot, but there are several ways that the contents could survive for weeks, or even indefinitely. Forensic tools make restoring deleted or overwritten files easy. And in the event the computer is backed up regularly, the backups would contain a comprehensive history of everything that was typed on the keyboard—including passwords, e-mails, and contacts. Modzero researchers said they issued the public advisory after both HP and Conexant failed to respond to messages privately reporting the findings.
In technical details that accompanied Thursday’s advisory, the modzero researchers added:
Conexant’s MicTray64.exe is installed with the Conexant audio driver package and registered as a Microsoft Scheduled Task to run after each user login. The program monitors all keystrokes made by the user to capture and react to functions such as microphone mute/unmute keys/hotkeys. Monitoring of keystrokes is added by implementing a low-level keyboard input hook  function that is installed by calling SetwindowsHookEx().
In addition to the handling of hotkey/function key strokes, all key-scancode information is written into a logfile in a world-readable path (C:\Users\Public\MicTray.log). If the logfile does not exist or the setting is not yet available in Windows registry, all keystrokes are passed to the OutputDebugString API, which enables any process in the current user-context to capture keystrokes without exposing malicious behavior. Any framework and process with access to the MapViewOfFile API should be able to silently capture sensitive data by capturing the user’s keystrokes. In version 10.0.0.31, only OutputDebugString was used to forward key scancodes and nothing was written to files.
This issue leads to a high risk of leaking sensitive user input to any person or process that is able to read files in C:\Users\Public\MicTray.log or call MapViewOfFile(). Investigators with access to the unencrypted file-system might be able to recover sensitive data of historic key-logs as well. Users are not aware that every keystroke made while entering sensitive information—such as passphrases, passwords on local or remote systems—are captured by Conexant and exposed to any process and framework with access to the file-system or MapViewOfFile API. Additionally, this information-leak via Covert Storage Channel enables malware authors to capture keystrokes without taking the risk of being classified as malicious task by AV heuristics.
It is not recommended to provide information on keystrokes to arbitrary processes by writing keystrokes to disk or by using OutputDebugStringW() for debugging purposes.
Any process that is running in the current user-session and therefore able to monitor debug messages can capture keystrokes made by the user. Processes are thus able to record sensitive data, such as passwords, without performing suspicious activities that may trigger AV vendor heuristics. Furthermore, any process running on the system by any user is able to access all keystrokes made by the user via file-system access. It is not known if log-data is submitted to Conexant at any time or why all key presses are logged anyway.
Affected HP models included HP EliteBooks, HP ProBooks, HP ZBooks, and HP Elites. People can check to see if their HP computer is at risk by searching for the files C:\Windows\System32\MicTray.exe or C:\Windows\System32\MicTray64.exe. Modzero said PCs sold by other manufacturers that contain Conexant drivers may be similarly at risk. Neither HP nor Conexant responded to requests to comment for this post.
As described by modzero, the keylogging functions represent the biggest threat to people using computers that are shared with non-trusted users or computers that later come under the physical or remote control of an untrusted person. There’s no indication the driver package uploads or otherwise distributes any of the logged information. That means the information stored in the log is likely to remain private as long as affected computers and any backups they use remain properly secured. Given this mitigation, comparisons to Superfish, the HTTPS-crippling app Lenovo pre-installed on computers several years ago, are overblown.
Still, it’s extremely bad form for apps and drivers to log such sensitive information, particularly with no warning or compelling reason. Modzero said that people who own an affected computer can delete or rename the C:\Windows\System32\MicTray.exe or C:\Windows\System32\MicTray64.exe files, although that move may cause special function keys for audio to stop working. There is no indication that either HP or Conexant has released an update. This post will be updated if either company responds later.