Security researchers are currently warning of a driver found on HP notebooks that can be misused as a key logger. In the present specification, one component of the audio driver is responsible for writing the entire user’s keyboard input into an unprotected file.
According to a report by safety researchers from the Swiss company Modzero, some business notebooks from HP reveal a safety-related behavior during the closer inspection. The audio driver is responsible for the fact that all the keyboard inputs of a user – including passwords – are recorded in an unprotected file.
On the business laptops of the HP notebooks series EliteBook, ProBook, Elite x2 and ZBook, an audio driver from Conexant is installed, including the application “MicTray64.exe”. This is, according to the researchers, able to monitor key inputs, with the actual reason to allow the system to respond appropriately to actions of special function keys such as the volume control. In itself is initially largely harmless, since a user expected the feature of the notebook. However, the security researchers have been able to demonstrate that all keyboard shortcuts are written to the publicly readable file “C:\Users\Public\MicTray.log”.
The existence of the log file is, however, also not yet dangerous for the owner. However, it must be clearly stated that this opens a door to a potential attack by malicious software. If such a malicious tool could first be installed on one of the HP notebooks mentioned above, it is only necessary to use the freely accessible file in order to reach all the user’s keyboard inputs.
The information on this page will overwrite the log file on each device during each new Windows login, but since users often simply put their device into standby mode and do not completely shut down after the work is completed, That malware can potentially grab the key codes several days, maybe even weeks.
Finally, it is important to note that the security researchers do not assume or have found any evidence that HP or Conexant is pursuing evil intentions with the audio driver. The whole seems to be a failure, or more precisely, a forgotten debug function. Nevertheless, the two companies have so far not responded to the evidence of the researchers, or the security problem in the said driver equal eradicated. Anyone who detects the mentioned log file on his notebook can only protect himself effectively by deleting the driver file “MicTray64.exe”. However, the special function keys of the notebook keyboard do not function anymore.