Researchers from the Swiss security company modzero have discovered a keylogger in a Hewlett-Packard audio driver that stores all kinds of keystrokes in a log file. It is a Conexant driver developed for audio cards with a Conexant chip.
HP computers make use of the Conexant chips, where the computer giant offers Conexant drivers through its own website. The drivers can communicate the software with the hardware. With certain computer models this control is further expanded with the audio hardware being controlled by certain keys. This means as an example now user can turn the microphone on or off via special keys on the keyboard. This driver code support seems to be specifically designed for HP computers and will ensure that all keyboard shortcuts are captured and processed.
Thus, the software can detect whether a special key is pressed to control the hardware. According to modzero researchers, driver developers have added different diagnostic and debugging features that ensure that all keystrokes are sent through a debugging interface or stored in a log file in a folder on the hard drive.
“This kind of debugging changes the audio driver into a keylogger,” said researcher Thorsten Schroeder. The keylogger has been in the audio driver since the end of 2015. A later version of the driver increased the problem because all keystrokes are stored in a public log file. Although the file is overwritten at each user’s login, the content could simply be monitored by forensic tools.
“If you regularly make an incremental backup of your hard drive, either in the cloud or on an external hard disk, it’s likely in your backups to retrieve a history of all keystrokes in recent years,”
says Schroeder. He notes that there are no indications that the keylogger has been intentionally added to the driver. “It’s negligence of developers, but that does not make the software any harm,” the researcher continues. Modzero warned both Conexant and HP for the keylogger, but did not respond to the report. The findings were made public.
Owners of an HP computer get the advice to verify that the C: \ Windows \ System32 \ MicTray64.exe or C: \ Windows \ System32 \ MicTray.exe program is installed on your computer. Then it must be deleted or renamed so that the keystrokes are no longer saved. However, this can make sure that the special keys on the keyboard do not work anymore. Additionally, the C: \ Users \ Public \ MicTray.log file must be deleted, as it may contain sensitive information such as login and passwords.