Leftover Debugger Doubles as a Keylogger on Hundreds of HP Laptop Models

HP Inc. released a software update to fix a vulnerability that allows attackers to turn debugging code, accidentally left on hundreds of model laptops, into a keylogger.

Researcher Michael Myng is credited for discovering the vulnerability tied to the use of a Synaptics Touchpad driver. He said in technical write-up outlining the discovery that the debugger feature is disabled by default, but a user with system admin privileges could change Windows registry values and permit keylogger functionality.

HP confirmed the flaw and released an update that removes the offending code identified as a Windows software trace preprocessor (WPP) debugger. HP said more than 460 model laptops are impacted, including laptops that are part of its EliteBook, HP Pavilion and ZBook lines.

“A potential security vulnerability has been identified with certain versions of Synaptics touchpad drivers that impacts all Synaptics OEM partners. A party would need administrative privileges in order to take advantage of the vulnerability,” HP stated in a security bulletin. HP said neither Synaptics or HP accessed customer data as a result of this issue.

Myng said that the debugging code that could be turned into a keylogger is present in the Synaptics Touchpad SynTP.sys file.

“The keylogger saved scan codes to a WPP trace. The logging was disabled by default but could be enabled by setting a registry value (UAC required),” Myng wrote.

WPP trace is a technique used by developers to debug code. By changing the value in the Windows registry, Myng was able to enable a keylogging feature that allowed user keystrokes to be stored locally.

“Sometime ago someone asked me if I can figure out how to control HP’s laptop keyboard backlit. I asked for the keyboard driver SynTP.sys, opened it in IDA and after some browsing noticed a few interesting strings,” Myng said of his discovery.

The software update is available via HP and will also be pushed via Windows Update, according the researcher.

In May,  it was discovered an audio driver that came installed on some HP-manufactured computers recorded users’ keystrokes and stores them in a world-readable plaintext file. The culprit was a version 1.0.0.31 of MicTray64.exe, a program that comes installed with the Conexant audio driver package on select HP machines.

Source: ThreatPost

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!