It would seem that HP is back in the limelight for the wrong reason. After having issued a firmware update to block third-party cartridges, HP had its fair share of anti-customer moves for the year. However, a recent discovery by security firm modzero brings a lot more negative publicity for HP. Turns out, that a certain audio driver package for HP laptops packs a keylogger. So if your HP laptop makes use of the Conexant Audio driver, then you might be getting all your keystrokes recorded. It should be noted that the logged keystrokes are not being transmitted to any remote location and the keylogging is the outcome of a poorly configured software.
Keylogger built into Conexant Audio driver
The purpose of the software module within the Conexant Audio driver is to figure out if a certain key has been pressed. This is nothing new, a lot of software have such a mechanism to identify when hotkeys or shortcut keys are pressed so that the appropriate action can be executed. However, in this case, Conexant, the manufacturer of the hardware introduced a number of debugging and diagnostic features which caused not just the predetermined hotkeys but every single keystroke to be recorded and logged to a file on the system. Essentially, making this software module into a keylogger.
The affected files – mictray64.exe
The keylogger has been part of the Conexant Audio driver package since at least Christmas 2015. This was determined by the signing certificate issued for the software. So if you have the latest or previous package of ‘Conexant High-Definition (HD) Audio Driver’ then you are definitely having your keystrokes recorded. Currently, the keylogger is part of the SOFTPAQ file SP79420.exe which supports about 28 systems including notebooks, workstations and tablets.
Once installed, the file mictray64.exe or mictray.exe starts logging each and every keystroke into a log file named ‘MicTray.log’ which resides on your OS drive (C:\Users\Public\MicTray.log) and is openly readable. However, there is a silver lining to this keylogger (if you can call it that). The log file is emptied each time the user logs out of the active session and there has been no transmission recorded as of yet. So the log file remains on your PC and gets cleansed each time you log off.
How to remove HP MicTray64.exe keylogger
Delete the files. They are not at all necessary for the audio hardware to function so deleting them has no adverse effects at all. You can find the culprit on your system at ‘C:\Windows\System32\MicTray64.exe’. And the log file is situated at ‘C:\Users\Public\MicTray.log’. Moreover, there is a scheduled task to run MicTray64.exe on a regular basis so check the Task Scheduler Library for the same. If you don’t want to delete the files for some unknown reason then you can always disable the Conexant Windows Service called CxMonSvc which is also supposed to run the file.
Why is this bad?
The log file is openly readable which means any software can access your data. It’s not encrypted in any form. If at all you have logged into your private email account or have recently entered your credit card details for making a payment, then you can be sure that they have been recorded. Given the massive number of units HP sells, hackers have a pretty good reason to create malware which targets this log file. The folks over at modzero claim to have reached out to HP late last month but are yet to see HP take any action.
Affected HP Products
As per the readme file of the affected driver package, the following HP products are affected.
HP ProBook 640 G2 Notebook PC
HP ProBook 650 G2 Notebook PC
HP ProBook 645 G2 Notebook PC
HP ProBook 655 G2 Notebook PC
HP ProBook 450 G3 Notebook PC
HP ProBook 430 G3 Notebook PC
HP ProBook 440 G3 Notebook PC
HP ProBook 446 G3 Notebook PC
HP ProBook 470 G3 Notebook PC
HP ProBook 455 G3 Notebook PC
HP EliteBook 725 G3 Notebook PC
HP EliteBook 745 G3 Notebook PC
HP EliteBook 755 G3 Notebook PC
HP EliteBook 1030 G1 Notebook PC
HP EliteBook 820 G3 Notebook PC
HP EliteBook 828 G3 Notebook PC
HP EliteBook 840 G3 Notebook PC
HP EliteBook 848 G3 Notebook PC
HP EliteBook 850 G3 Notebook PC
HP ZBook 15u G3 Mobile Workstation
HP Elite x2 1012 G1 Tablet
HP Elite x2 1012 G1 with Travel Keyboard
HP Elite x2 1012 G1 Advanced Keyboard
HP EliteBook Folio 1040 G3 Notebook PC
HP ZBook 17 G3 Mobile Workstation
HP ZBook 15 G3 Mobile Workstation
HP ZBook Studio G3 Mobile Workstation
HP EliteBook Folio G1 Notebook PC