Keylogger discovered in audio driver on several HP laptops

Dozens of HP laptop models have been found to contain an audio driver that silently logs users keystrokes, according to Swiss security firm ModZero. There does not appear to be malicious intent behind the keylogger, as one might automatically assume, but there is the potential that it could be used for nefarious purposes.

Injecting a keylogger into an audio driver seems like an odd thing, and that's because it is. However, audio chip manufacturer Conexant apparently went that route on several HP laptop models as means of trying to detect when a hotkey is pressed. Shortcuts exist for tasks such as turning a microphone on and off, and that presents a problem.

"The purpose of the software is to recognize whether a special key has been pressed or released. Instead, however, the developer has introduced a number of diagnostic and debugging features to ensure that all keystrokes are either broadcasted through a debugging interface or written to a log file in a public directory on the hard-drive," ModZero says. "This type of debugging turns the audio driver effectively into a keylogging spyware."

This has been a part of the driver packaged offered by HP since at least December of 2015. On affected systems, key presses get recorded and stored in a plain text log file. This is found by navigating to C:\Users\Public\MicTray.log. This log is overwritten each time the system is logged back into, but for that session, it continually records keystrokes, including any passwords or private communications that might get typed.

"Obviously, it is a negligence of the developers— which makes the software no less harmful. If the developer would just disable all logging, using debug-logs only in the development environment, there wouldn't be problems with the confidentiality of the data of any user," ModZero writes.

ModZero tried informing HP Enterprise (HPE) but says the company refused to take any responsibility for the keylogger. The security firm then contacted HP Inc. and Conexant, neither of which responded to ModZero.

Since nobody from HP or Conexant was willing to own up to and/or correct the issue, ModZero decided to publish the information in accordance with its responsible disclosure process.

If you own an affected laptop model, not only should you delete the aforementioned log file, but you should also rename the executable that causes this to happen. Look for the presence of C:\Windows\System32\MicTray64.exe or C:\Windows\System32\MicTray.exe and rename the file. That will stop the audio driver from recording your keystrokes, at the expense of having access to hotkeys.

Paul Lilly

Paul has been playing PC games and raking his knuckles on computer hardware since the Commodore 64. He does not have any tattoos, but thinks it would be cool to get one that reads LOAD"*",8,1. In his off time, he rides motorcycles and wrestles alligators (only one of those is true).