Keylogger Found in HP Notebook Keyboard Driver By

[Solarquest]

HP has released driver updates for hundreds of notebook models to remove debugging code that an attacker could have abused as a keylogger component.

The keylogging code was present in the SynTP.sys file, which is part of the Synaptics Touchpad driver that ships with some HP notebook models.

"The logging was disabled by default but could be enabled by setting a registry value," said a security researcher going by the name of ZwClose, who discovered the flaw earlier this year.

That registry key is:

HKLM\Software\Synaptics\%ProductName% HKLM\Software\Synaptics\%ProductName%\Default
Malware devs can use this registry key to enable the keylogging behavior and spy on users using native kernel-signed tools, undetectable by security products. All they have to do is to bypass a UAC prompt when tweaking the registry key. There are tens of methods of bypassing UAC prompts currently available.

Just some leftover debugging code
"The keylogger saved scan codes to a WPP trace," said ZwClose. WPP software tracingis a technique used by app developers and is intended for debugging code during development.

After reporting the issue, the researcher said HP devs candidly admitted the keylogging code was a leftover from debugging sessions and "released an update that removes the trace."
...

 

[TheJokerz]

That is scary, I would be furious if I had an HP laptop right now. I wonder if any lawsuits are going to come from this, if not HP should not come out of this unscathed.

 

[DeepWeb]

Woohoo! I'm affected! I was wondering when it would be my turn. So glad I have always been using anti-keylogger software. You can never be tinfoil hat enough. The other day I noticed a 200 MB log file in the Synaptics folder under ProgramData... I wonder if that's the one.

 

[Deleted member 65228]

So glad I have always been using anti-keylogger software.

I doubt your anti-keylogger software has a wide-enough scope to prevent the HP vulnerability from being potentially abused for you, considering the HP driver is actually related to the keyboard and thus it would make sense if the device driver for the anti-keylogger software is invoked after the routines in the HP driver are.

 

[Danielx64]

Woohoo! I'm affected! I was wondering when it would be my turn. So glad I have always been using anti-keylogger software. You can never be tinfoil hat enough. The other day I noticed a 200 MB log file in the Synaptics folder under ProgramData... I wonder if that's the one.

Get notepad++ and open that file (after making a copy of it) and see what's in it

 

[DeepWeb]

I just noticed that Windows has already updated me to the latest Synaptics driver that is listed there. So I guess HP made Microsoft push this update to all computers which is good.
The 200 MB log file I had simply logged whether I was using the touchpad and when I stopped using it and what type of gestures I was using. But, it didn't get into any specifics, no keys, no coordinates.

 

[Sunshine-boy]

@Opcode
Hi,
Let's think my keyboard is already filled with keylogger:notworthy:
1-Will firewall alert if the malware wants to reach the internet and some domains?
2-Can firmware based malware bypass the Third party firewall?
3- How can i clean my hardware from them?
4-is there any tool or way to test the hardware for such malware??
Thnx for reading! pls answer me:notworthy:

 

[Deleted member 65228]

1-Will firewall alert if the malware wants to reach the internet and some domains?

Case-by-case basis. If the malware is running under the scope covered by the firewall then it will still be identified... For example, malicious code executing in the context of user-mode. If your firewall has a white-list then bypass methods could evolve around injecting code into a trusted process -> perform network operations without the firewall caring. That is probably one of the most common FW bypass methods. With weaker firewalls and elevated access you can find ways to potentially manually add custom rules silently as well.

2-Can firmware based malware bypass the Third party firewall?

Technically yes. Realistically? Not going to happen for you to even worry about what it can or cannot do. The firmware is a much lower level than the Operating System... The OS is at software-level, the firmware is a level beneath the software-level. Without the firmware, the software cannot be used (e.g. the OS cannot start up without the firmware because the firmware starts it up -> BIOS is part of firmware and that is responsible for loading the Master Boot Record into memory for it to be executed which loads the kernel for the OS for an example).

Anyway, good luck using the firmware to bypass a firewall? I am pretty sure you would need to do something like Intel did (which led to the recent vulnerability) where you have another OS executing silently. At that level, you'd have a driver for that silent OS to work the network adapter (installed at hardware-level). I am no firmware engineer so I do not know. You could work the hardware from firmware level of course but that would be a devious task and even then actually making use of it all would just be devious. I think you would more or less have to take the route of a software-level for it to be complete and work (e.g. OS). But I am not sure.

The third-party firewall won't be active before the OS starts and even after the OS has started, the OS does not control what the firmware does. Therefore a software-based firewall cannot do anything in that regard.

Use a hardware firewall if you're worried about such a low-level attack but honestly you don't actually need one... That isn't dependent on the system therefore any connections at all on the network can be filtered. Bear in mind even for such a low-level attack to be possible and really happen, the attacker is still going to need to know the login credentials to a protected network.

3- How can i clean my hardware from them?

Purchase new hardware and replace the hardware currently installed. You still cannot be certain the new hardware is not compromised.

4-is there any tool or way to test the hardware for such malware??

No...

I don't understand why you're worrying about things like this... 100% unrealistic in the real world.

 

[Sunshine-boy]

Thnx for your explanations! you are very helpfullso changing the hardware is the best way.

 

[Deleted member 65228]

Thnx for your explanations! you are very helpfullso changing the hardware is the best way.

Yes but even if you change your hardware it can put you at more risk than before in-case the new hardware is infected and the old one was not?

Either way thinking about this is simply pointless IMO

 

[Sunshine-boy]

The protection is in hardware firewall!

 

[Deleted member 65228]

The protection is in hardware firewall!

If someone is going down a route of infecting your hardware then I am sure they will be resourceful enough to break into your home without you being aware and messing with that as well.

 

[Deletedmessiah]

Everyone's spying smh. As a HP user, screw HP!

 

[Azure]

"The logging was disabled by default but could be enabled by setting a registry value,"

So, a malware could potentially enable this? Then the issue is not merely just the keylogger but also whatever malware has infected your PC.

At least it was disabled.

 

[ZwClose]

I just noticed that Windows has already updated me to the latest Synaptics driver that is listed there. So I guess HP made Microsoft push this update to all computers which is good.
The 200 MB log file I had simply logged whether I was using the touchpad and when I stopped using it and what type of gestures I was using. But, it didn't get into any specifics, no keys, no coordinates.

Hi, could you share the file? What extension does it have? I really doubt it's the keylogger output but who knows.

 

[DeepWeb]

Hi, could you share the file? What extension does it have? I really doubt it's the keylogger output but who knows.

It's not the keylogger. I was wrong. It is however another log file that they should probably have turned off....

 

[Danielx64]

Does this affect all HP laptops or just those with windows 10? I'm trying to decide if I should check my mum's laptop.....

 

[shmu26]

"The logging was disabled by default but could be enabled by setting a registry value,"

So, a malware could potentially enable this? Then the issue is not merely just the keylogger but also whatever malware has infected your PC.

At least it was disabled.

You are right, this vulnerability could only be exploited if malware succeeded in infecting the system. But it still needed to be patched, because it made the job too easy for malware. This is true of most vulnerabilities that are discovered, as far as I know.

 

[ForgottenSeer 58943]

HP has always made poor quality laptops loaded with bloat.. That aside, a bad week for HP.. First the spyware discovered, now the keylogger.

Of course it was 'only an accident' right? No it wasn't. Considering HP is a contractor for the NSA, CIA and FBI I hardly think it was an accident.

 

[212eta]

https://gem.compaq.com/gemstore/home.asp?oi=E9CED