Leftover Debugger Doubles as a Keylogger on Hundreds of HP Laptop Models

HP released an update that fixes debugger code that could allow an attacker to use a Synaptics Touchpad driver as a keylogger.

HP Inc. released a software update to fix a vulnerability that allows attackers to turn debugging code, accidentally left on hundreds of model laptops, into a keylogger.

Researcher Michael Myng is credited for discovering the vulnerability tied to the use of a Synaptics Touchpad driver. He said in technical write-up outlining the discovery that the debugger feature is disabled by default, but a user with system admin privileges could change Windows registry values and permit keylogger functionality.

HP confirmed the flaw and released an update that removes the offending code identified as a Windows software trace preprocessor (WPP) debugger. HP said more than 460 model laptops are impacted, including laptops that are part of its EliteBook, HP Pavilion and ZBook lines.

“A potential security vulnerability has been identified with certain versions of Synaptics touchpad drivers that impacts all Synaptics OEM partners. A party would need administrative privileges in order to take advantage of the vulnerability,” HP stated in a security bulletin. HP said neither Synaptics or HP accessed customer data as a result of this issue.

Myng said that the debugging code that could be turned into a keylogger is present in the Synaptics Touchpad SynTP.sys file.

“The keylogger saved scan codes to a WPP trace. The logging was disabled by default but could be enabled by setting a registry value (UAC required),” Myng wrote.

WPP trace is a technique used by developers to debug code. By changing the value in the Windows registry, Myng was able to enable a keylogging feature that allowed user keystrokes to be stored locally.

“Sometime ago someone asked me if I can figure out how to control HP’s laptop keyboard backlit. I asked for the keyboard driver SynTP.sys, opened it in IDA and after some browsing noticed a few interesting strings,” Myng said of his discovery.

The software update is available via HP and will also be pushed via Windows Update, according the researcher.

In May,  it was discovered an audio driver that came installed on some HP-manufactured computers recorded users’ keystrokes and stores them in a world-readable plaintext file. The culprit was a version 1.0.0.31 of MicTray64.exe, a program that comes installed with the Conexant audio driver package on select HP machines.

Suggested articles