An audio driver developed by Conexant and pre-installed on dozens of HP laptops might be recording every keystroke in an unencrypted file on the hard drive, according to Swiss security firm Modzero.
The reason behind recording keystrokes doesn’t seem to be malicious, but rather just incompetence. According to Modzero, the culprit lies with ‘MicTray’, a driver component that’s designed to monitor keystrokes to recognize when a special key is pressed or released, and enable certain features like microphone mute/unmute via hotkeys.
It seems that the version HP bundles with its laptops comes with diagnostic and debugging features enabled, ensuring that all keystrokes are either broadcasted through the driver’s API, or written to a log file on the computer.
In its security advisory, Modzero details the issue:
Conexant's MicTray64.exe is installed with the Conexant audio driver package and registered as a Microsoft Scheduled Task to run after each user login. The program monitors all keystrokes made by the user to capture and react to functions such as microphone mute/unmute keys/hotkeys. Monitoring of keystrokes is added by implementing a low-level keyboard input hook  function that is installed by calling SetwindowsHookEx().
In addition to the handling of hotkey/function key strokes, all key-scancode information is written into a logfile in a world-readable path (C:\Users\Public\MicTray.log). If the logfile does not exist or the setting is not yet available in Windows registry, all keystrokes are passed to the OutputDebugString API, which enables any process in the current user-context to capture keystrokes without exposing malicious behavior. Any framework and process with access to the MapViewOfFile API should be able to silently capture sensitive data by capturing the user's keystrokes. In version 10.0.0.31, only OutputDebugString was used to forward key scancodes and nothing was written to files.
This issue leads to a high risk of leaking sensitive user input to any person or process that is able to read files in C:\Users\Public\MicTray.log or call MapViewOfFile(). Investigators with access to the unencrypted file-system might be able to recover sensitive data of historic key-logs as well. Users are not aware that every keystroke made while entering sensitive information—such as passphrases, passwords on local or remote systems—are captured by Conexant and exposed to any process and framework with access to the file-system or MapViewOfFile API. Additionally, this information-leak via Covert Storage Channel enables malware authors to capture keystrokes without taking the risk of being classified as malicious task by AV heuristics.
This is quite a serious problem; as Modzero notes, the behavior allows malware authors to design a malware that can capture keystrokes off the driver component, allowing it to do the bidding, and avoid being classified as malicious by an antivirus software.
Thankfully, HP has now started rolling out an updated version of the driver for its newer 2016 and later models, with a fix for 2015 models coming later today.
In a call with ZDNet, HP’s VP for Customer Experience, Mike Nash, said that the “keylogger-type feature was mistakenly added to the driver's production code and was never meant to be rolled out to end-user devices.”
In its security advisory, Modzero lists quite a few HP computers known to be affected with the issue:
- HP EliteBook 820 G3 Notebook PC
- HP EliteBook 828 G3 Notebook PC
- HP EliteBook 840 G3 Notebook PC
- HP EliteBook 848 G3 Notebook PC
- HP EliteBook 850 G3 Notebook PC
- HP ProBook 640 G2 Notebook PC
- HP ProBook 650 G2 Notebook PC
- HP ProBook 645 G2 Notebook PC
- HP ProBook 655 G2 Notebook PC
- HP ProBook 450 G3 Notebook PC
- HP ProBook 430 G3 Notebook PC
- HP ProBook 440 G3 Notebook PC
- HP ProBook 446 G3 Notebook PC
- HP ProBook 470 G3 Notebook PC
- HP ProBook 455 G3 Notebook PC
- HP EliteBook 725 G3 Notebook PC
- HP EliteBook 745 G3 Notebook PC
- HP EliteBook 755 G3 Notebook PC
- HP EliteBook 1030 G1 Notebook PC
- HP ZBook 15u G3 Mobile Workstation
- HP Elite x2 1012 G1 Tablet
- HP Elite x2 1012 G1 with Travel Keyboard
- HP Elite x2 1012 G1 Advanced Keyboard
- HP EliteBook Folio 1040 G3 Notebook PC
- HP ZBook 17 G3 Mobile Workstation
- HP ZBook 15 G3 Mobile Workstation
- HP ZBook Studio G3 Mobile Workstation
- HP EliteBook Folio G1 Notebook PC
The log file – located at C:\Users\Public\MicTray.log – storing the unencrypted keystrokes, is wiped every time the user logs out. Though, it’s possible for an incremental backup service to save the contents of this file for weeks, if not forever.
HP’s updated audio drivers will roll out via Windows Update and also be available on HP.com. As a quick fix, Modzero recommends that users either delete or rename the 'MicTray' or 'MicTray64' executables located at ‘C:\Windows\System32\’, although that might break the audio hotkeys from working.