HP notebooks shipped with keylogging audio driver

Portable computers from HP Inc are shipped with an audio driver that silently captures all user keystrokes and records them in an unprotected file, causing major security and privacy risks.

Researcher Torsten Schroeder from Swiss security vendor ModZero discovered that the MicTray64.exe driver from chip vendor Conexant, which makes sound circuits for HP, logged all keystrokes on a HP laptop via a software debugging interface.

Data captured included sensitive information such as passwords and user logins, which are stored in an easily accessible and unencrypted text file under the Windows world-readable public subdirectory used for sharing on networks.

This means any process running on Windows can read the file, and forensic tools can access its contents. 

While the file is overwritten each time the computer starts up, ModZero said system backups would keep a complete history of user keystrokes.

Schroeder said the driver is digitally signed by Conexant, and has been installed on HP computers since at least December 2015. 

He said the keylogger was most likely not installed with malicious intent.

"There is no evidence that this keylogger has been intentionally implemented. Obviously, it is a negligence of the developers - which makes the software no less harmful," Schroeder wrote.

ModZero reported the security issue to both vendors, but received no response from either.

HP's EliteBook and ProBook range of laptops come with the keylogging Conexant driver, as do the zBook mobile workstations, the Elite x2 1012 G1 series of tablets, as well as the EliteBook 725, 745, 755, 1030 and Folio notebooks.

Removing the offending scheduled task is not sufficient to disable the keystroke logging, the researcher said.

Instead, users should delete the MicTray executable and the log files it has created from the $WINDIR$\System32 and $USERS$\Public directories on their device.