HP Issues Fix For Keylogger Found On Several Laptop Models

HP says it has a fix for a flaw that caused a number of its PC models to keep a log of each keystroke a customer was entering. The issue, caused by problematic code in an audio driver, affected PC models from 2015 and 2016. From a report: HP has since rolled out patches to remove the keylogger, which will also delete the log file containing the keystrokes. A spokesperson for HP said in a brief statement: "HP is committed to the security and privacy of its customers and we are aware of the keylogger issue on select HP PCs. HP has no access to customer data as a result of this issue." HP vice-president Mike Nash said on a call after-hours on Thursday that a fix is available on Windows Update and HP.com for newer 2016 and later affected models, with 2015 models receiving patches Friday. He added that the keylogger-type feature was mistakenly added to the driver's production code and was never meant to be rolled out to end-user devices. Nash didn't how many models or customers were affected, but did confirm that some consumer laptops were affected. He also confirmed that a handful of consumer models that come with Conexant drivers are affected.

Fine.

[thegreatbob]

A fix is all well and good, but an explanation would be a nice touch. I guess people just don't get pissed off about getting the shaft anymore.

Re:Fine.

[Megane]

From what I saw yesterday, the "explanation" is:

1: mediocre programmer guy wants to check the keystrokes that affect volume control, adds a keylogger to the code for debugging
2: poor version control, or a total lack thereof, combined with lack of code review, allows "temporary" debugging keylogger code to become part of and remain enabled in main-line production code
3: someone eventually discovers it and SHTF

In other words, Hanlon's Razor. [wikipedia.org]

Re:Fine.

[anegg]

Words fail me. Whether this was incompetence or a poorly-kept secret, the implications are troublesome. A clear demonstration that even mainstream commercial software can't be trusted in some pretty fundamental ways. Yet we conduct more and more of our personal and professional lives on and through software-controlled systems. The explanation is that it was done accidentally, which implies that it is relatively easy to do and will not be detected by whatever quality assurance processes are in place.

Re:Fine.

[110010001000]

I'm pretty sure that RMS has been saying this for years. You cannot trust any closed source. You have no idea what is doing. You are trusting unknown people with your data.

Re:

[thegarbz]

Not at all. RMS's comments concern a small subset of the issues that cause problems like this. I can't trust closed source, that's a given. Recent history has shown we can't trust open source either.

Pretty much everyone lacks the means to audit binary releases. In the population of computer users pretty much everyone lacks the technical knowhow and time to audit code even if they had the means to audit the binaries they use.

A perversion of Linus's law: Many eyes gloss over bugs equally.

Re:

[Ramze]

The older I get, and the more crap like this that comes up, the closer I get to agreeing with RMS... especially with the windows 10 shenanigans. I've already got a tweaked Ubuntu Linux PC w/ Cinnamon DE that I'm getting accustomed to using for everything but games (Win10 for that, for now)... still... Until gnome/kde/cinnamon all have wayland and vulkan working properly, I'm not going to use Linux as my main machine.

One thing to remember, though is even open source software can be nefarious... and even gr

Re:

[BK425]

Absolutely, and we have to stop reacting with words like "fix" "flaw" and "problematic". This was a serious privacy intrusion on a massive scale. Whether it was some guy up to late on a bad schedule set by his boss Dilbert really doesn't matter. HP published the stuff, Connexant wrote it, they should pay some kind of price.

Re:

[thegarbz]

A clear demonstration that even mainstream commercial software can't be trusted in some pretty fundamental ways.

You can skip the "mainstream and commercial" part. Software is created by people, people in general make all sorts of stupid mistakes. Software in general can't be trusted.

That's not new. It was the case many years ago when we irradiated and killed people with race conditions. It will forever be the case going forward. It will be a problem in large OSes, and it'll be a problem in small apps and drivers.

Re:

[anegg]

I'm not disagreeing with you. This case seems particularly egregious from a "flaw" standpoint, however. An accident of programming with a race condition in a critical system that ends up killing people is horrible, but that's a high risk environment for software and the outcome is a lot more screening of software in critical applications (that increases the cost of those applications).

This was a complex and apparently functional behavior that could be compromising data that was "accidentally" built in a

Re:

[Solandri]

Technically it wasn't done accidentally. It was done deliberately because the programmer was being lazy. The way you're supposed to do it is via

#ifdef DEBUG
insert debug code here
#endif

Then you can enable/disable all the debug code with a single #define DEBUG statement. But people being lazy, they stick the debug code straight in thinking they'll just remember to comment it out before they ship the end product. Except they forget. QA can't catch this form of laziness because short of reading a

Re:

[bill_mcgonigle]

In other words, Hanlon's Razor. [wikipedia.org]

Hanlon's Razor doesn't explain the employees who worked at Mozilla, Cisco, RSA, etc. and weakened products for nation-state interests.

Re:

[Thud457]

HP Issues Fix For Keylogger Found On Several Laptop Models

More like "HP Issues Fix For Keylogger SECRETLY INSTALLED On Several Laptop Models"

Wipe it

[DogDude]

I only buy Windows 7 machines for myself and my company, but the first thing I do when I buy them (new or refurbished) is format the drive, install Windows 7, and use the Windows drivers whenever available.

Re:

[Anonymous Coward]

The driver containing the keylogger was distributed by Windows Update.. Unless you deactivated driver loading from Windows update, your wiped laptop is also affected.

Re:

[LordWabbit2]

Why the fuck would Microsoft be distributing HP's software? I very much doubt it came via Windows Update, but I don't mind being corrected, please send links to anything which states it was via Windows Update.

Re:

[chuckugly]

Because it's a service that is offered in an attempt to keep machines with custom hardware up to date.

Re:

[LordWabbit2]

Well I did mention links with some kind of proof - just saying "because" is not proof.
So I googled that for you...
https://support.hp.com/us-en/d... [hp.com]
And if it's the TLDR thing then here is the relevant bit

Many, including Hewlett-Packard, use the Windows Update tool to distribute their updates.

Re:

[Khyber]

"Well I did mention links with some kind of proof"

Everyone and their fucking mother knows big-brand hardware manufacturers have distributed vendor-specific driver patches through Windows Update since Windows 98 - almost 20 fucking years ago.

And then you went ahead and looked it up yourself after demanding proof - which you should have done in the first place instead of looking like a child wanting a handout. We're in the age where the summation of mankind's knowledge is almost constantly at our fingertips.

Re:

[chuckugly]

Yeah, I know it's true because some of the companies I've done work for use it and I had to look into how it would work, and no, I'm not doing your research for you. Have a good one.

Re:

[omibus]

Because it is a driver, and Microsoft writes as few of those as it can.

Re:

[SeaFox]

Why the fuck would Microsoft be distributing HP's software?

Because Joe Sixpack finds himself having to reinstall Windows fairly often to fix issues, and many computers today don't come with proper install discs, or generic ones that don't automate the installation of drivers for the hardware specific to the model of computer. So you end up with "drivers and utilities" CDs that don't make it clear which of their many drivers you need, or you have to go to the manufacturer's site to get the drivers you need -- a process beyond the technical abilities of a large porti

Re:

[Z00L00K]

Format drive and install one of the following operating systems:

• BeOS [tycomsystems.com]
• Syllable [syllable.org]
• AROS [sourceforge.net]
• Plan 9 [bell-labs.com]
• Minix [minix3.org]
• FreeDOS [freedos.org]
• DR-DOS [winworldpc.com]
• OpenVMS [openvms.org] x86 port is coming!
• Visopsys [visopsys.org]
• SqueakNOS [blogspot.se]
• Haiku [haiku-os.org]
• Kolibri [kolibrios.org]
• ReactOS [reactos.org]
• Tizen [tizen.org]
• SkyOS [skyos.org]
• MorphOS [morphos-team.net]
• MenuetOS [menuetos.net]
• CP/M 86 [winworldpc.com]
• Multics [multics.info], also see Multicians [multicians.org]
• Erlang as an Operating System [e2project.org]

There have been a large number of more or less obscure operating systems and not all have been ported to x86. Unfortunately the architecture has become a de facto standard even though it's not the best architecture or

Re:

[Z80a]

x86 is just a small translator circuitry between the code and a very powerful and efficient RISC processor.
All it does in practice is act like a code compression of sorts.

Re:

[LordWabbit2]

I do the same, ESPECIALLY laptops, I don't need a hidden "recovery" partition sucking up space. Although I generally try get the latest drivers from the manufacturer - preferably BEFORE formatting, although that is sometimes not possible. I remember once having to go buy a memory stick and go to an internet cafe to get network drivers (many moons ago) so that I could get my NIC up and running - the stock Windows drivers did not recognize it.

Re:

[Hognoxious]

Never ever do a reinstall on your only available computer.

Re:

[ledow]

Same, but Windows 8/8.1

I have precisely three drivers listed in my WDS driver packages.

One is for an IBM BladeCenter SAS RAID controller that blue-screens with the default Windows one (so all the blades have to start using that driver from the very first boot or they will blue-screen, even if you push updates later).

Two for gigabit-network cards that aren't covered by plain Windows install disk / WDS installs (purely to kick-start them being able to get out to Windows Update and download a better driver and

Re:

[LVSlushdat]

I really love all the people calling Trump insane... Pot meet kettle.. Trump is the most sane President we've had in my lifetime (67 years old)... There sure are a LOT of completely unhinged people out there.. I pray to God daily for President Trump's safety...

Flaw?

[Anonymous Coward]

A fully functioning keylogger is a flaw?

Patch in Question

[deadwill69]

Is it just me, or is this patch that difficult to find? I know google is my friend, but this is just sad.

Re:

[athmanb]

It's the "Conexant HD Audio Driver", downloadable from the HP driver website for your model.

Re:

[deadwill69]

Duh. Guess I needed another cup of coffee.
Thanks!

"Keylogger issue" makes it sound like a random bug

[JoeyRox]

Sorry, but one of our programmers leaned on his keyboard while eating lunch and wouldn't you know, it caused the driver he was working on to start logging keystrokes and storing them into a file.

A fix?

[jetkust]

You mean a fix as in it is no longer detected?

In Soviet Russia....

[forkfail]

... MP3 rip you!

Nobody?

[AndyKron]

That's great news! now, who's going to jail over this? Nobody? That's fucked up!