Modzero, a security firm in Switzerland, has discovered a Conexant keylogger pre-installed on certain laptop models. It’s an audio driver located in the Windows system folder. This driver automatically loads every time a user logs in. Models affected include HP Elitebook, ProBook, and ZBook, including the newest Folio G1.
Conexant HD
ZDNet reports that the audio driver is from Conexant Systems, Inc., versions 1.0.0.46 and higher. Any entity (person or malware) with access to the user’s files on one of the models, can see passwords, visited web pages, private messages, and more. Modzero says that the keylogger monitors “all keystrokes made by the user to capture and react to functions such as microphone mute/unmute keys/hotkey.”
The keystrokes are logged into an unencrypted log file which is stored in the user’s home directory. It is overwritten after every log in. If the log file doesn’t exist, the audio driver’s API can let malware capture the keystrokes instead.
Timeline
- 2017-04-28: Vulnerability has been discovered in MicTray64 version 1.0.0.31 / Thu Dec 24 08:35:35 2015 * 2017-04-28: Vendor Conexant contacted (Email)
- 2017-04-29: Higher impact has been discovered in most recent MicTray64 version 1.0.0.46 / Tue Oct 11 10:56:13 2016
- 2017-04-30: CVE-2017-8360 has been assigned to this vulnerability.
- 2017-05-01: Contacted Hewlett-Packard Enterprise security advisor with detailed description of the problem.
- 2017-05-02: Contacted vendor Conexant via Twitter
- 2017-05-05: Sent technical information to HPE security contact. Informed HPE about releasing the advisory on Monday 8th of May in case we don’t get any feedback on our report.
- 2017-05-05: Received some notes from HPE after sending technical information. They tried to reach for security folks at HP Inc. to gain attention.
- 2017-05-11: Release of the advisory
Further Details
You can visit Modzero’s security advisory for the full list of affected laptops and versions of Windows. A snippet of the keylogger’s hexadecimal code was posted on Twitter:
Additionally, an anonymous security researcher contacted ZDNet and confirmed the advisory. For now, Modzero says that deleting the MicTray64.exe should solve the Conexant keylogger issue until an official security patch is released.
How to Delete MicTray64.exe
MicTray64 is the Windows process from Conexant. It may cause issues with your laptop’s microphone, but that’s better than having your private data stolen. Modzero gives a method:
All users of HP computers should check whether the program C:\Windows\System32\MicTray64.exe or C:\Windows\System32\MicTray.exe is installed. We recommend that you delete or rename the executable files so that no keystrokes are recorded anymore. However, the special function keys on the keyboards might no longer work as expected. If a C:\Users\Public\MicTray.log file exists on the hard drive, it should also be deleted immediately, as it can contain a lot of sensitive information such as login-information and passwords.
Be careful while you’re in System32 and don’t delete anything else.