Pierluigi Paganini December 08, 2017

A security researcher discovered that hundreds of notebook models contain a debugging code that could be abused by attackers as a keylogger component.

Hundreds of notebook models contain a debugging code that could be abused by attackers as a keylogger component. The code was discovered by a security researcher that goes online with the moniker ZwClose, the list of affected models and security patch are available at the following URL:

https://support.hp.com/us-en/document/c05827409

The list of affected notebooks includes 475 models, 303 consumer notebooks and 172 commercial notebooks, mobile thin clients, and mobile workstations. Affected model families include HP’s 25*, mt**, 15*, OMEN, ENVY, Pavilion, Stream, ZBook, EliteBook, and ProBook series, along with several Compaq models.

Oh well. Keylogger in HP's SynTP.sys. Off by default. Vendor contacted. Fix released and pushed. Blog post is on the way.

— ZwClose (@zwclose) December 6, 2017

HP has released security updates for its drivers in order to remove the debugging code that was present in the SynTP.sys file, which is part of the Synaptics Touchpad driver.

HP customers know that the Synaptics Touchpad driver is shipped with many HP notebook models.

“HP had a keylogger in the keyboard driver. The keylogger saved scan codes to a WPP trace. The logging was disabled by default but could be enabled by setting a registry value (UAC required). ” reads the blog post published by the expert.

That registry key is:

HKLM\Software\Synaptics\%ProductName% HKLM\Software\Synaptics\%ProductName%\Default

The Windows software trace preprocessor (WPP) technique is used by developers for debugging code.

“WPP software tracing supplements and enhances WMI event tracing by adding ways to simplify tracing the operation of the trace provider. It is an efficient mechanism for the trace provider to log real-time binary messages. The logged messages can subsequently be converted to a human-readable trace of the operation of the trace provider.” states Microsoft.

Of course, the risk is that this debugging feature could be abused by vxers to enable the keylogging feature present in the code and spy on HP users. The native code runs at kernel level and is to detectable by security software.

Malware developers only need to bypass the UAC prompt when changing the registry key, and there are many ways to do it.

HP admitted the presence of keylogging code confirming it was used for debugging purposed and accidentally and left because of a forgetfulness, for this reason, the tech giant “released an update that removes the trace.”

The researcher that uses the Twitter handles THS explained that HP did not remove the keylogger functions in the new version, the company simply turn it on by setting SeeScanCode and EnableLog = 1 in Windows Registry.

https://twitter.com/__ths__/status/863324677019770880

In May, the security researcher Thorsten Schroeder of security firm Modzero discovered that a Conexant audio driver shipped with many HP laptops and tablet PCs was logging keystrokes. The expert discovered that MicTray64.exe application, which is installed with the Conexant audio driver package, is registered as a scheduled task in Windows systems and is able to monitor keystrokes to determine if the user has pressed any audio-related keys (e.g. mute/unmute).

Pierluigi Paganini

(Security Affairs – HP keylogger, Keyboard Driver)

[adrotate banner=”5″]

[adrotate banner=”13″]