Keylogger found in keyboard driver of 475 HP notebook models

Oops! We all make mistakes at some point, but I don’t want to hear oops when it comes to keyloggers that are “accidentally” preinstalled on computers. Nevertheless, 475 models of Hewlett-Packard notebooks, mobile thin clients and mobile workstations had a keylogger wrapped inside a keyboard driver.

It’s bad enough that a keylogger is found to be lurking on HP computers at all, but to happen twice in one year is ludicrously pathetic. Back in May, HP issued a fix after researchers discovered a keylogger monitoring keystrokes in an audio driver package installed on nearly 30 models of HP computers.

In this newest go around, security researcher ZwClose discovered a keylogger in in the keyboard driver — the Synaptics Touchpad driver, or SynTP.sys file, which shipped with nearly 500 HP laptop models.

Oh well. Keylogger in HP’s SynTP.sys. Off by default. Vendor contacted. Fix released and pushed. Blog post is on the way.

— ZwClose (@zwclose) December 6, 2017

In the security bulletin, HP noted that “only” the impacted versions were listed. There are “only” 475 products listed; the list included 172 commercial notebooks, mobile thin clients, mobile workstations, as well as 303 consumer notebooks with several models listed under some of those notebook products.

As ZwClose, aka Michael Myng, according to HP’s security bulletin, noted in a write-up about the vulnerability, “The logging was disabled by default but could be enabled by setting a registry value.” In other words, an attacker could bypass User Account Control (UAC) and use malicious code to turn on the keylogger by changing the registry value.

The registry key:

HKLMSoftwareSynaptics%ProductName%

HKLMSoftwareSynaptics%ProductName%Default

It is important to note that if the keylogger were enabled, the keystrokes would be logged locally. According to Myng, “The keylogger saved scan codes to a WPP trace.”

How the keylogger got onto HP notebooks

As for how it was an “oops,” HP maintained the keylogger was “debug trace” that accidentally was not removed.

HP described the potential security impact of the Synaptics Touchpad driver vulnerability as the “potential, local loss of confidentially.”

HP’s vulnerability summary stated:

A potential security vulnerability has been identified with certain versions of Synaptics touchpad drivers that impacts all Synaptics OEM partners. A party would need administrative privileges in order to take advantage of the vulnerability. Neither Synaptics nor HP has access to customer data as a result of this issue.

Myng found the keylogger while he was trying to figure out how to control the backlighting of HP’s laptop keyboard. He reported his findings to HP in November.

They replied terrifically fast, confirmed the presence of the keylogger (which actually was a debug trace) and released an update that removes the trace. Get the list of affected models and fixed driver at HP website. The update also available via Windows update.

HP suggested acting on the security bulletin “as soon as possible.” The company listed all impacted HP products and released software updates for Synaptics touchpad drivers.

The fix for some of the impacted products, such as specific notebook models of HP Envy m6-nXXX, HP Envy 15-qXXX, HP Envy TouchSmart 15-qXXX, HP Stream x360 11 Convertible and HP x360 11 Convertible notebook, are yet “to be announced.” HP said it would “update the table as Softpaqs become available.”