UPDATE 5/12: HP issued an update for the Conexant audio driver to remove the keylogger, ZDNet reported. The update covers nearly 30 HP models from the EliteBook, ProBook, ZBook, and Elite x2 product lines. It can be downloaded from HP's website or via Windows Update.
If you own or use a HP computer, it's time to check whether C:WindowsSystem32MicTray64.exe or C:WindowsSystem32MicTray.exe in installed. If so, you have an active keylogger recording all key presses and need to take action by renaming the executable file.
Usually when a new keylogger is discovered and reported publicly, it's found to be malicious spyware and the parties affected respond to the threat. In this case, the opposite is true. A keylogger was found on HP computers, but it is not malicious so the company isn't doing anything about it yet.
The keylogger was discovered by security company modzero AG in an audio driver installed on HP systems. Modzero did the responsible thing and made HP aware of its existence. HP Enterprise refused to take responsibility while HP Inc. and the other company involved, Conexant Systems Inc., are ignoring it. So modzero decided to go public "in accordance with our Responsible Disclosure process."
Here's where things get weird. Shipping a system with an active keylogger installed is only really ever going to happen for malicious reasons. But in this case it looks like pure negligence on the part of developers.
The software in question is part of a driver package offered by HP (since December 2015) and related to audio chips manufactured by Conexant. Conexant's integrated circuits appear on numerous sound cards for which they provide drivers. In this case, special key presses are supported for functions such as turning the microphone and recording LED on or off.
- HP Creates Security Web Series Starring Christian Slater HP Creates Security Web Series Starring Christian Slater
Modzero discovered that the software written to detect these special key presses actually records all key presses and stores them in a plain text log file (C:UsersPublicMicTray.log) for anyone to view. The log is overwritten every time you log back into the computer, but during use it is always recording key presses, which will include any and all passwords entered.
Negligent? Lazy? Call it what you will, but logging all key presses just to detect special key presses is ridiculous. As mentioned above, you can stop it happening by renaming the executable file, but doing so will stop the special key functionality working. Ideally, HP and Conexant take notice now and fix the problem.