The keylogger is used by audio drivers to determine when the up and down volume control buttons on the keyboard have been pressed.
2017-05-05: Sent technical information to HPE security contact. Security researchers believe that the keylogger function was installed into the laptops by developers of the audio driver.
The log file itself is overwritten every time the computer is booted up but with system backups, an ongoing complete history of user keystrokes would be available. This is basically where every typing activity by users is recorded and stored in an unsecured file on the computer.
That seemed innocent enough but, on further examination, Modzero found that the audio driver package -developed and digitally signed by the audio chip manufacturer Conexant – has been poorly implemented, turning the driver “effectively into keylogging spyware”. However, a number of debugging features have ended up ensuring that all keystrokes are recorded and written to a log file.
“There is no evidence that this keylogger has been intentionally implemented”, the security firm said in its blog post.
‘Obviously, it is a negligence of the developers – which makes the software no less harmful’. “We want to make sure this doesn’t happen again”. However, by doing this, may disable special key function but that’s a fair trade-off IMO.
Notably, a security firm known as Modzero has earlier intimated HP and Conexant about the keystroke logging flaw, however, HP’s Nash said that the company had already been in a process of working on the fix before Modzero’s notification.
The audio driver was created to identify when a special key on the PC was used. This includes paraphrases for online banking and email accounts.
As noted, the Keylogger contained in audiocpu Conexant driver version 220.127.116.11 and older.
It does not appear the keylogger feature was designed with malicious intent, though.
All users of HP computers should check whether the program C:/Windows/System32/MicTray64.exe or C:/Windows/System32/MicTray.exe is installed.
For now, ModZero recommends that users check for and delete or rename the MicTray64 and MicTray applications (located at C:/Windows/System32/). You can also verify the files C:WindowsSystem32MicTray.exe or C:WindowsSystem32MicTray64.exe.