10s of models of laptops from HP got pre-installed software that can be considered as a keylogger. Keylogger is a software, which can record what are you typing on your keyboard. These datas may be sent back to developer, so keyloggers are often abused to gain passwords, logins and other sensitive datas. In case of HP, this keylogger was distributed via audio driver MicTray64 from Conexant signed by the same company. Although this software propably do not spies upon you, it’s still a security risk due to possibility that your computer may be infected or hacked and attacker could gain all what did you write on your laptop.
This security issue was discovered by security company Modzero. The purpose of the software is to recognize whether a special key has been pressed or released. However, developers included number of diagnostic and debugging features, so it means that all keystrokes are broadcasted through a debugging interface OutputDebugString, which can be accessed by another process and get compromised. In some cases, keystrokes are logged into .log file on disk too.
Log file can found at C:\Users\Public\MicTray.log
Older version 126.96.36.199 did not create a log file, but since 188.8.131.52, logging to log file is supported. It’s true that this file is overwritten after each login, but it can be easily monitored by other processes or forensic tools. Another problem are incremental backups – a history of your keystrokes may be found there.
Of course, malware can log your keystrokes too, but security features included in Windows itself and security solutions from 3rd party developers may mark this activity as suspicious. But in this case, a keylogger is built-in and it can access to keystrokes without any suspicion.
Modzero reports that this vulnerability was discovered on 28th April. According to the information available, HP and Conexant have not yet addressed the issue.
List of affected models of HP laptops can be found from Modzero HERE.
It’s strongly recommended, that if you find log file at “C:\Users\Public\MicTray.log“, you should delete it. The same applies for file “C:\Windows\System32\MicTray64.exe“.