[Fix Included] HP Computers are shipping with built-in keylogger in the audio drivers

Have you bought a HP Notebook, Tablet or Workstation recently? Would it upset you to know it may be silently recording every keystroke. According to Swiss infosec firm ModZero, this is actually happening to a select group of HP Computer (list of effected devices below)

According to a ModZero blog post, HP’s update to it’s audio drivers released in 2015 introduced some new diagnostic features. However unannounced to their customers, it seems the features were poorly implemented, seeing as the driver ultimately acts like a keylogger, capturing every single key-press.

It’s fine though, HP must of rectified the huge security concern? Unfortunately not the case here, a later update to the driver introduced further functionality that writes every single key-press to a log file stored on the user’s system.

Although it is important to be aware that this logfile wipes every time you logout of your system, but as stated by ModZero, if you’ve got any kind of incremental backup system in place, there may well be a permanent record of everything you have typed.

ModZero recommends that all users of HP computers, check whether the program C:\Windows\System32\MicTray64 exists on their machine, in addition to deleting the MicTray log file C:\Users\Public\MicTray.log , as it may contain sensitive information, like passwords,login credentials and banking information.

The blog post also highlighted that at this time there is no evidence showing that this keylogger was intentionally implemented. Rather severe negligence from the developers.


 Temporary Fix:

To stop the process from running: (Credit to _My_Angry_Account_ a user on reddit)
  1. Start the Registry Editor (regedit).
  2. In the Registry Editor, go to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\currentversion\image file execution options.
  3. Right click on image file execution options > New > Key
  4. Name the new key MicTray.exe
  5. Right click new MicTray.exe key > New > String value
  6. Name the new value debugger
  7. Set new “debugger” string value data to: devenv /debugexe

It forces any .exe file named MicTray or MicTray64 to go through a debugger and this causes it to fail.

If you are running Windows 64-bit then steps 4 and 5 should be:

4. Name the new key MicTray64.exe

5. Right click new MicTray64.exe key > New > String value

To check your version of Windows the shortcut is to hold down your Windows Key and press Pause (Break) or in Windows 8.1 and 10 you can right click on the start button and click on System. In previous versions you can right click on Computer or My Computer and click on Properties to find out what version of Windows you are running.

Current List of effected machines:

  • HP EliteBook 820 G3 Notebook PC
  • HP EliteBook 828 G3 Notebook PC
  • HP EliteBook 840 G3 Notebook PC
  • HP EliteBook 848 G3 Notebook PC
  • HP EliteBook 850 G3 Notebook PC
  • HP ProBook 640 G2 Notebook PC
  • HP ProBook 650 G2 Notebook PC
  • HP ProBook 645 G2 Notebook PC
  • HP ProBook 655 G2 Notebook PC
  • HP ProBook 450 G3 Notebook PC
  • HP ProBook 430 G3 Notebook PC
  • HP ProBook 440 G3 Notebook PC
  • HP ProBook 446 G3 Notebook PC
  • HP ProBook 470 G3 Notebook PC
  • HP ProBook 455 G3 Notebook PC
  • HP EliteBook 725 G3 Notebook PC
  • HP EliteBook 745 G3 Notebook PC
  • HP EliteBook 755 G3 Notebook PC
  • HP EliteBook 1030 G1 Notebook PC
  • HP ZBook 15u G3 Mobile Workstation
  • HP Elite x2 1012 G1 Tablet
  • HP Elite x2 1012 G1 with Travel Keyboard
  • HP Elite x2 1012 G1 Advanced Keyboard
  • HP EliteBook Folio 1040 G3 Notebook PC
  • HP ZBook 17 G3 Mobile Workstation
  • HP ZBook 15 G3 Mobile Workstation
  • HP ZBook Studio G3 Mobile Workstation
  • HP EliteBook Folio G1 Notebook PC

 

 


Thanks for reading – feel free to follow and stay updated 🙂  View sysadminguides’s profile on Facebook View GuidesSysadmin’s profile on Twitter View 115372466162675927272’s profile on Google+

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s