If you own a HP laptop and find the programs C:\Windows\System32\MicTray64.exe or C:\Windows\System32\MicTray.exe installed, you may wish to remove them as the programs log users’ every keystroke and stores them on a public directory, according to Swiss security firm Modzero.
The company published an advisory today detailing serious security problems with a legitimate audio driver that contains an “unintended/covert storage channel” and keylogging functionality. The driver ships with several HP laptop models listed below.
HP itself didn’t build the audio driver, which comes from US integrated circuit manufacturer, Conexant Systems Inc. Conexant supplied HP with audio chips as well as the drivers.
As Modzero explains, Conexant’s developers intended for their code to detect specific keys that have tasks linked to the audio chip, such as turning a microphone on and off, or controlling the recording LED. But instead of logging specific keys, a debugging feature logged all keystrokes. Mozdzero says the driver has behaved this way since at least December 2015 and has stored the log file on a public directory at C:\Users\Public\MicTray.log.
“The purpose of the software is to recognize whether a special key has been pressed or released. Instead, however, the developer has introduced a number of diagnostic and debugging features to ensure that all keystrokes are either broadcasted through a debugging interface or written to a log file in a public directory on the hard-drive.”
That unintended functionality means that users passwords to all their accounts have been captured and exposed.
“Any process that is running in the current user-session and therefore able to monitor debug messages, can capture keystrokes made by the user. Processes are thus able to record sensitive data such as passwords, without performing suspicious activities that may trigger AV vendor heuristics,” Modzero writes.
“Furthermore, any process running on the system by any user is able to access all keystrokes made by the user via file-system access. It is not known, if log-data is submitted to Conexant at any time or why all key presses are logged anyway.”
Although the log file is overwritten after each login, these files would be captured in backup drives if the user runs incremental backups.
And while Modzero puts the keylogger down to carelessness on the part of HP and Conexant, it's still a threat to users.
“There is no evidence that this keylogger has been intentionally implemented,” notes Modzero. “Obviously, it is a negligence of the developers - which makes the software no less harmful. If the developer would just disable all logging, using debug-logs only in the development environment, there wouldn't be problems with the confidentiality of the data of any user.”
Making matters worse, Modzero claims that neither HP nor Conexant have responded to bug reports it filed privately with each firm in late April. On May 1 Modzero did manage to contact HPE, and informed it of the plan to publish an advisory on May 8. HPE tried to reach for security folks at HP Inc. “to gain attention”, according to Modzero.
HP told CSO Australia that it is developing a fix that it will release soon.
"HP is committed to the security of its customers and we are aware of an issue on select HP PCs. HP has no access to customer data as a result of this issue. We have identified a fix and will make it available to our customers," an HP spokesperson said.
It's might be wise to wait for the patch. Though users can delete the drivers in question, certain audio functions might not work afterwards.
Affected laptop models include:
HP EliteBook 820 G3 Notebook PC
HP EliteBook 828 G3 Notebook PC
HP EliteBook 840 G3 Notebook PC
HP EliteBook 848 G3 Notebook PC
HP EliteBook 850 G3 Notebook PC
HP ProBook 640 G2 Notebook PC
HP ProBook 650 G2 Notebook PC
HP ProBook 645 G2 Notebook PC
HP ProBook 655 G2 Notebook PC
HP ProBook 450 G3 Notebook PC
HP ProBook 430 G3 Notebook PC
HP ProBook 440 G3 Notebook PC
HP ProBook 446 G3 Notebook PC
HP ProBook 470 G3 Notebook PC
HP ProBook 455 G3 Notebook PC
HP EliteBook 725 G3 Notebook PC
HP EliteBook 745 G3 Notebook PC
HP EliteBook 755 G3 Notebook PC
HP EliteBook 1030 G1 Notebook PC
HP ZBook 15u G3 Mobile Workstation
HP Elite x2 1012 G1 Tablet
HP Elite x2 1012 G1 with Travel Keyboard
HP Elite x2 1012 G1 Advanced Keyboard
HP EliteBook Folio 1040 G3 Notebook PC
HP ZBook 17 G3 Mobile Workstation
HP ZBook 15 G3 Mobile Workstation
HP ZBook Studio G3 Mobile Workstation
HP EliteBook Folio G1 Notebook PC