Tech giant points finger of blame squarely at third party developer.
Hewlett Packard has been forced to admit that keylogger software has been present in audio drivers installed in their laptops since 2015. The flaw was discovered by Swiss security research company Modzero.
The keylogging aspect of the driver was never designed to act as a specific spyware tool, but was instead used for testing and prototyping the original software. According to HP, it should have been removed once testing was done.
No Harm, No Foul?
No. The problem with the audio driver keylogger, is that it records all of a users keystrokes and saves the information to a local file, which is then accessible to anyone; literally any third-party software or malware that knows where to look. And that’s a pretty serious oversight.
The saved file is registered to start via a Scheduled Task every time users log into their computers. As well as shipping new laptops with the keylogger audio drivers, HP also released it as a downloadable update in 2015 as well.
The third party firm that designed the software, Conexant, has been blamed for poor design, and poor implementation, and for turning the driver “effectively into keylogging spyware.” Hackers who either knew what to look for, or had they found the stored keylogger files by accident could have used the information to extract passwords, and other sensitive information.
The fix released by HP not only removes the keylogger from the audio driver but deletes the files as well.
“HP is committed to the security and privacy of its customers and we are aware of the keylogger issue on select HP PCs,” said HP. “HP has no access to customer data as a result of this issue. Our supplier partner developed software to test audio functionality prior to product launch and it should not have been included in the final shipped version.”