Keylogger found in audio driver included with some HP laptops [Updated]

Updated May 11, 2017: According to ZDNet, HP has already started rolling out a patch that will remove the keylogger and the log file associated with it.

Original story: If you own an HP laptop, you might want to check that your keystrokes aren't being logged. According to Swiss security firm modzero (via The Next Web), an audio driver included in a number of HP EliteBooks, ProBooks, ZBooks and Elites contains a keylogger — though there's no indication that it's backed by any malicious intent.

According to modzero, the keylogger was included in a driver for an audio chip produced by Conexant that is included in the HP models in question. From modzero:

Conexant is a manufacturer of integrated circuits, emerging from a US armaments manufacturer. Primarily, they develop circuits in the field of video and audio processing. Thus, it is not uncommon for Conexant audio ICs to be populated on the sound cards of computers of various manufacturers. Conexant also develops drivers for its audio chips, so that the operating system is able to communicate with the hardware. Apparently, there are some parts for the control of the audio hardware, which are very specific and depend on the computer model - for example special keys for turning on or off a microphone or controlling the recording LED on the computer. In this code, which seems to be tailored to HP computers, there is a part that intercepts and processes all keyboard input.Actually, the purpose of the software is to recognize whether a special key has been pressed or released. Instead, however, the developer has introduced a number of diagnostic and debugging features to ensure that all keystrokes are either broadcasted through a debugging interface or written to a log file in a public directory on the hard-drive.

The report goes on to note that the logger has been present since "at least Christmas 2015," but a more recent version of the program records all keystrokes in a log file found at C:\Users\Public\MicTray.log. The log file is erased each time you log out of your PC, but it still presents a massive problem if things like passwords are recorded and the log file is inadvertently backed up.

Modzero says it is publicly disclosing the issue because neither HP or Conexant have responded to its contact requests. "Only HP Enterprise (HPE) refused any responsibility, and sought contacts at HP Inc. through internal channels," it says.

It's important to note that modzero hasn't found any evidence of malintent here. Rather, incompetence appears to be to blame. For its part, HP tells The Next Web that it is working on a fix to ship out to customers. In any case, if you're concerned you're using an affected laptop, modzero has supplied a list of models that you can check. You can also check to see whether whether the program C:\Windows\System32\MicTray64.exe or C:\Windows\System32\MicTray.exe exists, and either delete or rename the executable.

Dan Thorp-Lancaster

Dan Thorp-Lancaster is the former Editor-in-Chief of Windows Central. He began working with Windows Central, Android Central, and iMore as a news writer in 2014 and is obsessed with tech of all sorts. You can follow Dan on Twitter @DthorpL and Instagram @heyitsdtl