Skip to main content

Keylogger found in audio driver included with some HP laptops [Updated]

Updated May 11, 2017: According to ZDNet, HP has already started rolling out a patch that will remove the keylogger and the log file associated with it.

Original story: If you own an HP laptop, you might want to check that your keystrokes aren't being logged. According to Swiss security firm modzero (via The Next Web), an audio driver included in a number of HP EliteBooks, ProBooks, ZBooks and Elites contains a keylogger — though there's no indication that it's backed by any malicious intent.

According to modzero, the keylogger was included in a driver for an audio chip produced by Conexant that is included in the HP models in question. From modzero:

Conexant is a manufacturer of integrated circuits, emerging from a US armaments manufacturer. Primarily, they develop circuits in the field of video and audio processing. Thus, it is not uncommon for Conexant audio ICs to be populated on the sound cards of computers of various manufacturers. Conexant also develops drivers for its audio chips, so that the operating system is able to communicate with the hardware. Apparently, there are some parts for the control of the audio hardware, which are very specific and depend on the computer model - for example special keys for turning on or off a microphone or controlling the recording LED on the computer. In this code, which seems to be tailored to HP computers, there is a part that intercepts and processes all keyboard input.Actually, the purpose of the software is to recognize whether a special key has been pressed or released. Instead, however, the developer has introduced a number of diagnostic and debugging features to ensure that all keystrokes are either broadcasted through a debugging interface or written to a log file in a public directory on the hard-drive.

The report goes on to note that the logger has been present since "at least Christmas 2015," but a more recent version of the program records all keystrokes in a log file found at C:\Users\Public\MicTray.log. The log file is erased each time you log out of your PC, but it still presents a massive problem if things like passwords are recorded and the log file is inadvertently backed up.

Modzero says it is publicly disclosing the issue because neither HP or Conexant have responded to its contact requests. "Only HP Enterprise (HPE) refused any responsibility, and sought contacts at HP Inc. through internal channels," it says.

It's important to note that modzero hasn't found any evidence of malintent here. Rather, incompetence appears to be to blame. For its part, HP tells The Next Web that it is working on a fix to ship out to customers. In any case, if you're concerned you're using an affected laptop, modzero has supplied a list of models that you can check. You can also check to see whether whether the program C:\Windows\System32\MicTray64.exe or C:\Windows\System32\MicTray.exe exists, and either delete or rename the executable.

Dan Thorp-Lancaster is the Editor in Chief for Windows Central. He began working with Windows Central as a news writer in 2014 and is obsessed with tech of all sorts. You can follow Dan on Twitter @DthorpL and Instagram @heyitsdtl. Got a hot tip? Send it to daniel.thorp-lancaster@futurenet.com.

41 Comments
  • Thanks, Modzero. Scratching HP off my buy list.....
  • Why do key loggers matter?
  • Malicious actors could acquire your personal information including name, username, password, credit/debit card number, and your SSN if you're American, among other things.
  • Ah, I see. Hp hardware suck in general. Surface and Razor ftw.
  • Huh? Where have you been the past 5 years?
  • I did the same, when HP refused to release updated drivers for Win8, barely a year after I bought their $1K+ laptop; of course that means no Win8.1 and no Win10 drivers so I am screwed; never again HP; But on a bright side their hardware warranty support is great, compared to Sony's VAIO, before it went down the *******, for said practices.  
  • Enterprise hardware done right.
  • /s?
  • Captain Obvious
  • Arrr matey
  • Oooooops indeed, that's HP reputation just hit rock bottom, the key log is written to the PUBLIC users folder as well
  • Yup, doesn't get much worse than that.
  • Yup. Assuming no malicious intent, it's still pretty lazy coding to include a key logger, even for debugging purposes, if you ask me.
  • +1
  • No malicious intent or was there. Fbi / cia conspiracy.
  • You would think that a company as hp would inspect all the drivers before shipping a product. About time to set up a team for that purpose only.
  • This **** should be illegal and criminal.
  • Holy whackamoley that's nasty.
  • I don't see the technical reason, why they needed to do it this way. Conspiracy galore if you ask me...
  • The key logging is very likely a debugging feature that developers forgot to turn off in the final build, but I'm in agreement that there's no need to log keys to troubleshoot this.  Key logging seems tempting in order to debug code, but in reality, it's often more work than it's worth.
  • Need to take lessons from Lenovo in hiding the key-loggers
  • just wow.
  • Good job, OEMs
  • Windows does something similar and nobody says anything...
  • Telemetry is not the same as full on key-logging. AND: Everyone spoke out about it, did you not know? Apple does the same, yet THERE is no rage because they do it quietly.
  • Well its true but its not something to be alarmed...at the end there's options, at least for me its ok to use the Windows generic driver until they fix that 👍
  • Nice fud jackwagon.
  • It's no FUD you blind fanboy, it's 100% true given the fact that every press of a key when searching Windows Search sends details to microsoft servers regardless if you intend on searching local files or online.
  • "C:\Users\Public\MicTray.log" You mean that folder that has no file permissions whatsoever, is accessible to any user, software or virus without prompt, and is part of the default set of folders shared on SMB and Homegroup? Fark.
  • Yes, that one. It has full Public access by any user
  • I remember when people called me foolish for refusing to buy HP devices...
  • The scarier part is the program can turn your mic off and on and the indicator light so your mic can be on without you knowing
  • everyone here is quick to blame HP, but this is really Conexant's problem. Luckily for me, the Creator's Update broke the B&O/Conexant audio stuff on my HP Spectre X360, had to uninstall it and only use the Realtek drivers now.
  • NO, it is just as much HP's fault; its their hardware, they are responsible for the parts and drivers they put in it;
  • Well now I know not to go to HP for a new gaming laptop (my ASUS G73Jh is showing its age).
  • OMG .... Key logger
    It means windows 10 S is best.
  • Eh, people are making a mountain out of a molehill, and it's already getting fixed. Plenty of companies have done a lot worse than this.
  • Uhm... They just disabled the logging, flip the registry keys and this audio driver (!) will still happily log your keystrokes in ascii scancode. Nice malware target waiting to be exploited.
  • This strikes me more as sloppy programming (especially since it is not in all versions of the driver, just a few) more than anything nefarious. Especially since it makes no attempt to hide what it is doing at all.
    Some contract programmer for Conexant turned on a debug function to watch what it was doing and never removed it from the final code. It happens more often than you would like to believe.
    Claiming that HP is responsible for this is like claiming Ford is responsible if you put the wrong parts in your engine and destroy it.
    My question to HP however is HOW are you going to distribute the "fix" for this? Especially to the Enterprise customers who don't allow access to Windows Update or driver updates over the Web.
  • Except the user didn't change car parts, the dealership did. Bad analogy.
  • Any information if other brands have the same vulnerability, i.e. Dell, Lenovo?