Security researcher Michael Myng found a keylogger code that records every stroke typed, pre-installed into HP laptop software drives in models of computers dating back as far as 2012. HP has said that more than 460 models are affected by this “potential security vulnerability” and that the issue affects laptops in the EliteBook, ProBook, Pavilion and Envy ranges, among others.
Myng was inspecting the Synaptics Touchpad software when he discovered the keylogger that had been pre-installed; at the time he was trying to figure out how to control the keyboard backlight on an HP laptop. According to Myng, an attacker with access to an HP computer could have enabled it to record what a user was typing.
HP say that the keylogger was not originally built into the models to track users strokes of typing but rather to help debug errors. Although HP acknowledged that it could have a “loss of confidentiality” they did say that neither it nor synaptics had access to customer data.
In May, a similar keylogger was discovered in audio drivers pre-installed on several HP laptop models. At the time of this incident, the company said the keylogger code had been mistakenly added to the software.
Tod Beardsley, research director at Rapid7 emailed SC Media UK: "The finding by researcher ZwClose illustrates a common problem among hardware manufacturers, where specialised debugging functions are accidentally included in shipping products. In this case, it looks like both the researcher and the vendor did everything right. By alerting the vendor to the accidentally included debug function, the vendor was able to quickly remove the offending functionality.
“It's important to stress that while the keyboard logging functionality not only appears to have shipped in error, rather than maliciously, it also required administrative privileges in order to actually use. This restriction severely limits the usefulness of the debug code to attackers - after all, an attacker who has admin rights can just install their own custom keystroke logger. That said, HP acted to at least reduce the attack surface of their laptops that ship with this particular system driver, so that's an overall win for security conscious consumers."
Update: HP has emailed SC Media UK to emphasise that there is a fix available, commenting: "HP was advised of an issue that exists with Synaptics' touchpad drivers that impacts all Synaptics OEM partners. HP uses Synaptics' touchpads in some of its mobile PCs and has worked with Synaptics to provide fixes to their error for impacted HP systems, available via the security bulletin on HP.com."