HP responds to laptop keylogger fiasco, promises ‘fix shortly’

HP has responded to anger over the revelation that some of its laptops were shipping with built-in keyloggers.

Swiss infosec firm ModZero recently highlighted how some HP machines had audio drivers that could log the keystrokes of users. The intention was for the software to detect if a particular key had been pressed, but due to a design flaw, the driver actually captured every single keystroke.

Eventually, the driver was updated so that every single keypress would be stored locally in the system. This file was wiped when you logged out of your machine, but any system that creates regular backups could be inadvertently creating a permanent record of every keystroke you’ve ever made.

https://twitter.com/statuses/862820779024564224

Keyloggers are often used by hackers to steal private information, which is why any use of the software – no matter how benign – is quite sensitive.

“A keylogger is a piece of software for which the case of dual-use can rarely be claimed,” the ModZero blog reads. “This means there are very few situations where you would describe a key logger that records all keystrokes as ‘well-intended’.

The affected notebooks are as follows:

  • HP EliteBook 820 G3 Notebook PC
  • HP EliteBook 828 G3 Notebook PC
  • HP EliteBook 840 G3 Notebook PC
  • HP EliteBook 848 G3 Notebook PC
  • HP EliteBook 850 G3 Notebook PC
  • HP ProBook 640 G2 Notebook PC
  • HP ProBook 650 G2 Notebook PC
  • HP ProBook 645 G2 Notebook PC
  • HP ProBook 655 G2 Notebook PC
  • HP ProBook 450 G3 Notebook PC
  • HP ProBook 430 G3 Notebook PC
  • HP ProBook 440 G3 Notebook PC
  • HP ProBook 446 G3 Notebook PC
  • HP ProBook 470 G3 Notebook PC
  • HP ProBook 455 G3 Notebook PC
  • HP EliteBook 725 G3 Notebook PC
  • HP EliteBook 745 G3 Notebook PC
  • HP EliteBook 755 G3 Notebook PC
  • HP EliteBook 1030 G1 Notebook PC
  • HP ZBook 15u G3 Mobile Workstation
  • HP Elite x2 1012 G1 Tablet
  • HP Elite x2 1012 G1 with Travel Keyboard
  • HP Elite x2 1012 G1 Advanced Keyboard
  • HP EliteBook Folio 1040 G3 Notebook PC
  • HP ZBook 17 G3 Mobile Workstation
  • HP ZBook 15 G3 Mobile Workstation
  • HP ZBook Studio G3 Mobile Workstation
  • HP EliteBook Folio G1 Notebook PC

In a statement given to TrustedReviews, a HP spokesperson said: “HP is committed to the security and privacy of its customers and we are aware of the key logger issue on select HP PCs. HP has no access to customer data as a result of this issue. Our supplier partner developed software to test audio functionality prior to product launch and it should not have been included in the final shipped version. Fixes will be available shortly via HP.com.”

It’s worth noting that although HP devices are affected, the software was actually developed by audio chip maker Conexant. That’s why it’s not a clear-cut case of who screwed up. Regardless, this appears to be more a case of incompetence than malice, as our Computing Editor Michael Passingham explains:

“HP hasn’t done anything malicious here, but the software in question is deeply insecure and could easily be used to pull out passwords and other confidential information with very little effort.”

“It reminds me of the Lenovo Superfish debacle from a couple of years ago, and highlights the inherent weaknesses in the world of Windows hardware. In short: any software can come pre-installed and most users don’t understand how it works.”

“If the Conexant software does what’s been claimed — I don’t have a device to test it on — I would recommend users seek out official advice from HP or Conexant.”

Related: Best laptops

Do you own an affected machine? Would this put you off buying from HP in the future? Let us know in the comments below.