HP laptops found to have hidden keylogger
bbc.co.ukPrevious discussion: https://news.ycombinator.com/item?id=15885206
So... This has ballooned from debug code with no evidence of ever being maliciously used to "loss of confidentiality" and now instead of being a keylogger it's a "hidden keylogger."
Dramatic tone change for no actual new news. Sure this is getting the person's blog attention, but now I'm certain I don't agree with the alarmist title of the original post.
And the assertion that "an attacker with access to the computer could have enabled it to record what a user was typing" is somewhat silly.
If the attacker has access to the computer, why not install some other key logger that would send info to the attacker's site?
I agree that the someone having access to run arbitrary code on a machine is a much bigger deal. In this case, the difference between this debugging feature and an installed keylogger is the use of trusted software to perform the keylogging. When the mictray issue came out earlier this year, I ran across a blog post you may find interesting [1]. To summarize, the author repurposed the HP executable to log keys to a remote server using webdav.
[1] https://diablohorn.com/2017/05/12/repurposing-the-hp-audio-k...
Thanks, Julian - that was interesting. The redirecting of the keylog to a webdav destination lets the key logging happen to a remote server, without installing any untrusted software, and with no user UI-level exposure.
Claiming that an attacker would use this is nonsensical.
You need write access HKLM in order to change the registry key, if you have write access to HKLM you can inject your own driver (inc. keylogger) into the OS.
Plus the keypresses are context-less (i.e. you don't know what application, or window the keypress was sent to). A continuous stream of keypresses with no context is darn near useless, it doesn't even contain timestamps!
Any number of off-the-shelf keyloggers would do a far better job, all of which can be auto-loaded if you have HKLM write access. They'll even tell you the exact web page a keypress was sent to and manage the job of sending that information to you...
Those off the shelf keyloggers world be detected by security software, however, whereas something signed by the vendor is going to be whitelisted. I still wouldn’t say this is a huge sign of malice but it’s definitely open for creative misuse.
www.facebook.com<return> stephan<tab>123abc
doesn't seem useless to me.
A person that knows that you can use tab to jump between form fields probably uses a password manager anyway.
You only need a powered user to modify HKLM. It's a group between users and administrators, not often used or known.
Or as Raymond Chen is fond of saying (citing from the Hitchhikers Guide), "It rather involved being on the other side of this airtight hatchway".
>> why not install some other key logger that would send info to the attacker's site?
Because one would assume that this software/driver has been signed and would not be recognized as evil by any protection system, at least not one on the laptop.
and get their ssh keys while you're at it.
The previous one in the audio(!) drivers was as bad as it could have been:
https://www.bleepingcomputer.com/news/security/keylogger-fou...
"writes all keystrokes to a local file at:
C:\users\public\MicTray.log"
Note: Public folder! All keystrokes. Discovered May 2017, preinstalled on 28 HP laptop models. Other hardware that uses this driver may also be affected.
Edit, to the other commenters in other threads: please don't mix them, there are two "keyloggers." The one in the audio(!) driver was always on, recording by default to the publicly accessible file, as seen here.
The one in the new news is a code in the keyboard driver that can be turned on (and here it's important to know if the switch is publicly accessible) but isn't on by default. Depending on how that one is turned on and where the result is logged, it can be not worthy to worry too much. But these details also matter.
Unlike this one, it even looks like the audio driver exploit is on by default. Much stranger. Guess HP developers aren't very clean with their release process.
Okay so reading the comments here makes me feel a bit more at ease, but honestly after reading the article I was literally like, "why the hell would the AUDIO driver need to monitor key strokes.." It really sounded like a deliberate installation of a hidden keylogger. I am glad to read that perhaps it is not, but damn sloppy.
Listening for function key presses, I would imagine.
Every laptop I've ever had allowed volume control with function keys.
Disclaimer: it's been over a decade since I've done applications development and I've never done driver development.
Ah yeah that makes sense... sort of. I would have expected specific volume commands to come through from another layer, not for the audio driver itself to be directly listening to the keyboard. But I guess that's why it's just debugging code.
To test hotkeys during development.
We already lost control over HW and SW. There are often malicious functionalities in binary software and our 'hardware' can't be trusted either (Intel ME, AMD PSP, firmwares, bioses). Some time ago, firmware in a notebook used to install drivers into windows during boot without user knowing that. We are dependent on technology and we don't seem to care about security much, other than buying some magical binary blobs called Antivirus and Cleaners.
One can also argue that the comments in response to the different phrasings of the same news de-escalated from "this is very serious" to your comment's "this is actually not news."
There are always contrarians, and in this case the comment-section contrarians ended up amusingly contradicting themselves.
"He said the keylogger was disabled by default, but an attacker with access to the computer could have enabled it to record what a user was typing.
According to HP, it was originally built into the Synaptics software to help debug errors."
How bad is this really then? If an attacker could enable it, they could install another key logger anyway if this feature didn't exist? Can HP enable it remotely (I'm guessing not)?
Exactly. You need administrator to enable this, and you need administrator to install a different keylogger. So then the question becomes: Why use this? Well, an attacker wouldn't but the press doesn't know anything about tech' so, this fact escapes them. This is like science reporting all over again...
If you have HP's update agent installed, HP are able to install drivers, so all bets are off as far as what HP could do to your machine. They could enable this via the update agent, but even assuming worst motivations there are a tens of better commercial keyloggers HP would use before this.
This debug functionality likely shouldn't be shipping in retail versions of the driver (defence in depth, etc) and should be removed. But there's a ton of misinformation surrounding this bug which is frustrating, the actual security community are already bored of this one.
>you need administrator to install a different keylogger
nope. you need administrator if you want to install for all users, but there's nothing preventing a user from keylogging himself.
You need write access to:
HKLM\Software\Synaptics\%ProductName%\Default
Which requires administrator or equivalent, so that is preventing a user from even keylogging themselves.
i meant you can install any other keylogger without admin.
HPSynapticsdriver.dll is probably on antivirus whitelists and signed with a reputable certificate whereas a random keylogger would not.
it's trivial to bypass antivirus by obfuscating the executable with a commercially available packer/obfuscator. not to mention that if you have administrator access (needed to enable the keylogger), you could also disable/uninstall the antivirus, or load a driver (whose access can't be restricted by the antivirus).
Less of a big deal than they’re trying to make it out to be, it’s disabled by default and a leftover debugging tool.
Yeah, that's the problem with zombie code. You can have articles like this, especially when companies like Lenovo did spy on people with all sorts of bios->OS infecting spyware and MITM SSL tricks.
If it's a binary and potentially readable, they probably shouldn't include the code switch to enable it. Better it never be in there to begin with.
But yeah, if it's disabled by default and looks like a debugging tool, it probably is.
Twice in the same year?
http://www.tomshardware.com/news/hp-keylogger-debugging-tool...
How many of these "debugging tools" has HP left enabled, I wonder?
It's not enabled. And someone with access to your computer can just install their own keylogger anyway, so why is this even a security threat?
Well we didn't know it was there at all not long ago. How sure can we be now that there is no hidden remote way to turn it on?
That's not a valid form of reasoning. Just because we didn't know about something before isn't an excuse to make random assumptions.
There are key loggers and Key Loggers. If you need admin rights to enable it and it saves the keystrokes locally, then you probably shouldn't care. Anyone with that level of access can install something worse.
The salient variable when it comes to key loggers is knowledge of its existence.
"keylogger" has become one of those loaded words for me that I basically ignore whenever I read.
You can make any piece of software that takes user input sound like a "keylogger" with the right wording, that the word has basically lost all meaning.
It still is a keylogger in a consumer product.
So is Notepad.
Notepad runs in userland under the supervision of the kernel. This is a driver and could be running in kernel mode. It could make a big difference.
Even if it's not malicious, I still think it is a rather serious professional mistake to ship a driver containing potentially dangerous deadcode.
There's plenty of "rather serious professional mistakes" in whatever operating system you happen to run in the first place - it's very rare that something that doesn't affect security in any meaningful way gets the attention this has.
The last time i checked the whatever you type in browser, does not end up in text file or notepad. This does show the quality thinking about security. Oh we can enable when we want check things out rather than finding way to add and remove this after informing user
Notepad doesn't fit the definition of a keylogger.
This does.
At least with a PC, it's relatively easy to put in a fresh install, either Windows or some other operating system, which everyone in tech should do considering the recent HP/Lenovo issues (although I'm not sure if it would help I this situation if this particular exploit was in the official drivers).
It's considerably harder with phones, with all of them running non standard, non upstreamable kernels, and consumers not really having alternative OSes like we do with PCs.
Most PCs come without Windows installation media and instead rely on a restore partition (keylogger included). If you try to install off random other media (e.g. MSDN), it will not recognize the OEM license that comes with the computer.
Because of this, there is no trivial way (edit: OK, without buying Windows again) to get a vanilla install including only the Microsoft keylogger, but not the HP one.
Not true, you can reinstall the same version and it will pick up the licensing from the BIOS. You can even extract the key from the BIOS to use on a VM (same hardware) if your running linux.
It's even very easy to get the install media direct from Windows, not like back in XP days.
https://www.microsoft.com/en-us/software-download/windows10I...
Thanks, this used to be an issue at least Windows 8. I'm happily surprised if it's now as easy as downloading the ISO from Microsoft and reinstalling it on an OEM machine.
There's a trivial way, it's just not zero added cost if your PC was bundled with Windows: buy a retail version of Windows.
If you really want to help this cause, you might wanna look at Librem 5 phone (https://puri.sm/shop/librem-5/). They are making an open hardware Phone with a fully open-source OS based on Linux (debian).
If the driver is not written by Microsoft, that new Windows installation will downloads it and quite likely it will be same HP driver with keylogger.
Just makes me support OSS drivers more. Imagine what damage could be done with hidden code in GPU drivers nowadays.
In related news:
https://www.engadget.com/2017/11/28/hp-quietly-installs-syst...
To me, this is one more reason to never use the default install of an operating system.
In this specific case, if the debugging "leftovers" were part of the official drivers, then I would say there is a good indication towards preferring a free OS.
Is this old news? I remember an audio driver (maybe?) causing a similar issue 6-9 months ago.
I worked for a HP reseller at the time and could replication the issue on almost every model in our labs
Well, Synaptics Touchpad Drivers always sucked. "Windows Precision Touchpad" is pretty good but not quite on Apples level.
Why does obvious bullshit like this get so much visibility?
Why not "Windows found to have hidden keylogger", it also ships with functionality that allows you to capture keystrokes if you so insist?