Helping Protect Against Todays Cyber Threats

HP Audio Driver Exposes Real-time Keystrokes via Local API

HP Audio Driver Exposes Real-time Keystrokes via Local API

Duncan McAlynn, Principal Security Engineer/Evangelist, Ivanti

The audio driver installed on some HP laptops includes a feature that could best be described as a keylogger, which records all the user’s keystrokes and saves the information to a local file, accessible to anyone or any third-party software or malware that knows where to look.

Swiss cyber-security firm modzero discovered the keylogger on April 28 and made its findings public today, reports BleepingComputer.com.

This one is particularly interesting because its default behavior is to log locally to a file, but if that file doesn’t exist or can’t be written to, then it falls back to the API stream which with a little crafty interception could lead to real-time capturing of a user’s keystrokes including username/passwords, URLs visited, email contents, etc.

Obviously, this presents a huge security risk for enterprise-class HP customers, as the majority of the models impacted by the vulnerability are intended for the corporate environments of the world. Yet, HP has to confirm or comment on the matter.

As for how to mitigate the risk, there are a variety of methods including using an SCCM Security Compliance Baseline w/ remediation, blacklisting the executable (in this case, “MicTray64.exe”), using a software restriction group policy to block it, PowerShell… you get it – the list goes on and on. Right?

So, identifying the 17 different Microsoft operating systems potentially impacted by this vulnerability is the bigger challenge. To that end, I’ve provided a simple SCCM query to build a collection of systems based upon the 28 models called out in modzero’s research. I’m monitoring this vulnerability with multiple alert channels and will update the collection query if new data unfolds.

If you find this post helpful, please consider sharing so others may be able to help protect their organizations as well. Thank you!

{UPDATE} 12-May-2017 22:01
Updated WQL to reflect comments by G. Sweeney. Thank you!

{UPDATE} 11-May-2017 22:01

Due to a formatting error, the collection provided below has been updated for those purposes. No new models have been added. But, there is an option to download the MOF file now.

SCCM Collection Query for Specific (HP) Hardware Models:

Click here to download the MOF.

select
SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client 
from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on 
SMS_G_System_COMPUTER_SYSTEM.ResourceID = SMS_R_System.ResourceId where 
SMS_G_System_COMPUTER_SYSTEM.Model like "%EliteBook 820 G3%" or 
SMS_G_System_COMPUTER_SYSTEM.Model like "%EliteBook 840 G3%" or 
SMS_G_System_COMPUTER_SYSTEM.Model like "%EliteBook 828 G3%" or 
SMS_G_System_COMPUTER_SYSTEM.Model like "%EliteBook 848 G3%" or 
SMS_G_System_COMPUTER_SYSTEM.Model like "%EliteBook 850 G3%" or 
SMS_G_System_COMPUTER_SYSTEM.Model like "%ProBook 640 G2%" or 
SMS_G_System_COMPUTER_SYSTEM.Model like "%ProBook 650 G2%" or 
SMS_G_System_COMPUTER_SYSTEM.Model like "%ProBook 645 G2%" or 
SMS_G_System_COMPUTER_SYSTEM.Model like "%ProBook 655 G2%" or 
SMS_G_System_COMPUTER_SYSTEM.Model like "%ProBook 450 G2%" or 
SMS_G_System_COMPUTER_SYSTEM.Model like "%ProBook 430 G2%" or 
SMS_G_System_COMPUTER_SYSTEM.Model like "%ProBook 440 G2%" or 
SMS_G_System_COMPUTER_SYSTEM.Model like "%ProBook 446 G2%" or 
SMS_G_System_COMPUTER_SYSTEM.Model like "%ProBook 470 G2%" or 
SMS_G_System_COMPUTER_SYSTEM.Model like "%ProBook 455 G2%" or 
SMS_G_System_COMPUTER_SYSTEM.Model like "%EliteBook 725 G3%" or 
SMS_G_System_COMPUTER_SYSTEM.Model like "%EliteBook 745 G3%" or 
SMS_G_System_COMPUTER_SYSTEM.Model like "%EliteBook 755 G3%" or 
SMS_G_System_COMPUTER_SYSTEM.Model like "%EliteBook 1030 G1%" or 
SMS_G_System_COMPUTER_SYSTEM.Model like "%ZBook 15u G3%" or 
SMS_G_System_COMPUTER_SYSTEM.Model like "%Elite x2 1012 G1 Tablet%" or 
SMS_G_System_COMPUTER_SYSTEM.Model like "%Elite x2 1012 G1 with Travel Keyboard%" or 
SMS_G_System_COMPUTER_SYSTEM.Model like "%Elite x2 1012 G1 Advanced Keyboard%" or 
SMS_G_System_COMPUTER_SYSTEM.Model like "%EliteBook Folio 1040 G3%" or 
SMS_G_System_COMPUTER_SYSTEM.Model like "%ZBook 17 G3 Mobile%" or 
SMS_G_System_COMPUTER_SYSTEM.Model like "%ZBook 15 G3 Mobile%" or 
SMS_G_System_COMPUTER_SYSTEM.Model like "%ZBook Studio G3 Mobile%" or 
SMS_G_System_COMPUTER_SYSTEM.Model like "%EliteBook Folio G1%"
Please follow and like us:
RSS
Facebook0
Facebook
YouTube13
YouTube
LinkedIn0


1 thought on “HP Audio Driver Exposes Real-time Keystrokes via Local API”

  • Fixes to this problem will arrive via Windows Update on the affected laptops. A fix for laptops released in 2016 was added to Windows Update on May 11, while a fix for laptops released in 2015 is set to arrive on May 12

Leave a Reply

Your email address will not be published. Required fields are marked *


RSS
Facebook
Facebook
YouTube13
YouTube
LinkedIn500