Keylogger in Some HP Laptop Models

HP has been caught leaving a keylogger in a driver for the second time this year. The keylogger is in the keyboard driver SynTP.sys and is disabled by default. The explanation is that the keylogger is left over from when the software developers debug the program they’re developing.

460 HP models since 2012 are affected which you can find that list here.

It’s good news that the keylogger is disabled by default, but an attacker with knowledge of its existence and the right coding skills could activate it through malware deployed through social engineering or by having physical access then exfiltrate the data it collects.

HP responded quickly to the researcher that discovered the developer discrepancy, and shortly after first communication a patch was released that removes the keylogger. The bug was discovered by Michael Myng who goes by “ZwClose.”

You can download the patch here.

The first keylogger of the year was discovered by a Swiss security firm called Modzero that was located in the Conexant HD audio driver package version and earlier. HP has also issued a patch for this bug that was pushed out through Windows Update (this is why it’s important to patch regularly!) and can be found on HP’s website.

This keylogger was not disabled by default and captured each keystroke and stored the data in an unencrypted file in the user’s home directory with the log being overwritten everytime the user logs in. The part of the driver that allows it to interact with other software, an API, allowed malware to “silently capture sensitive data by capturing the user’s keystrokes.”