A researcher found a hidden, deactivated keylogger in a device driver shipped with HP laptops.
A researcher found a hidden, deactivated keylogger in a device driver shipped with HP laptops.

HP has fixed a vulnerability in Synaptics touchpad drivers that could allow a hacker to exploit a hidden, deactivated keylogger shipped in more than 460 different models of its laptops.

“A party would need administrative privileges in order to take advantage of the vulnerability,” HP said of the flaw, which could lead to privacy issues. 

The keylogger, in the keyboard driver, “saved scan codes to a WPP trace. The logging was disabled by default but could be enabled by setting a registry value,” researcher Michael Myng, who found the bug, wrote on github. 

“Sometime ago someone asked me if I can figure out how to control HP's laptop keyboard backlit,” said Myng. “I asked for the keyboard driver SynTP.sys, opened it in IDA” and found what appeared to be a format string for a keylogger in a Synaptics driver.

Myng reported the findings to HP, which quickly produced a fix.

Calling keyloggers “an effective piece of a cyberattack arsenal” used to obtain user credentials and sensitive data that can be used to compromise user accounts, Chris Morales, head of security analytics at Vectra Networks, said, “So, why would a hardware vendor install this kind of software on their computers? The key logger was a software development or test tool that should have been removed before the code was release.”

In this instance, Morales said, “it's unlikely to be a consciously malicious act” since the code is disabled by default “but does leave code in place which any attacker could easily enable and use to monitor everything a user does on their system” and it's yet one more “example of poor QA controls, and the risk that digital supply chain risk.”

Joseph Carson, chief security scientist at Thycotic, agreed the risk to consumers from this particular keylogger is quite low but warned consumers should be vigilant in hardening their security. The vulnerability “requires administrator privileges to exploit it. That means that it is limited,” he said. “Still, a hacker who could compromise administrator privileges could enable the key logger so they could stay hidden and not trigger any alarms. It would also be easily abused by an insider who already has administrator privileges.”