HP releases Synaptics driver update that removes disabled keylogger

Martin Brinkmann
Dec 10, 2017
Updated • Jan 4, 2018
Misc, Security

HP released updates for Synaptics touchpad drivers recently for HP notebooks that removes a disabled keylogger from the driver.

Again, HP? A security researcher disclosed on GitHub that he discovered a keylogger in the keyboard driver of HP notebooks. While deactivated by default, anyone with elevated access to the machine could enable the logging of keyboard input by setting Registry values.

The discovery happened by accident according to the researcher as he was analyzing the keyboard driver to find out how the keyboard's backlit was controlled. A check in IDA, a cross-platform disassembler and debugger revealed a format string for a keylogger. Further analysis confirmed the assumption, and that the keylogger was not active by default.

hp notebook keylogger

It did however check locations in the Registry, and the researcher assumed that the correct values would activate the keylogger on the device. Assumed, because it was not possible to test the theory without a HP notebook that had the driver installed.

The Registry locations are:

  • HKLM\Software\Synaptics\SynTP
  • HKLM\Software\Synaptics\SynTP\Default
  • HKLM\Software\Synaptics\PointerPort
  • HKLM\Software\Synaptics\PointerPort\Default

HP did confirm the issue when contacted about it though and stated that it was a debug trace. The company released a list of affected notebooks and driver updates for these notebooks that resolve the issue by removing the trace from the driver.

HP customers who use one of the affected notebooks are asked to download the updated driver and install it on machines affected by the issue. The HP support page lists business and consumer notebooks affected by the issue.

Affected notebooks include HP G4, G5 and G6 devices, EliteBook and Elitebook Folio devices, HP mt* thin clients, HP ProBook laptops , HP zBook mobile workstations, various Compaq notebooks, HP 15* and HP17* notebooks, HP ENVY devices, and HP Pavilion and Omen devices.

Basically, if you own a HP notebook or use one at work, search for it on the HP support page to find out if a driver update for it is available.

According to the researcher, the update is also distributed via Windows Update.

This is not the first issue of its kind that HP had to deal with this year. In April, researchers discovered a vulnerability in HP audio drivers that recorded all keystrokes made by the user and reacted to functions concerning the microphone, and dumped the data in a publicly accessible folder in the file C:\Users\Public\MicTray.log.

HP has been in the news last month as well when customers of HP products started to report signs of a Telemetry service.

Closing Words

I'm not sure what to make of all of this. It is bad quality controlling over at HP that is causing all these issues? (via Born)

Now You: Are you affected by the issue? What's your take on this?

HP releases Synaptics driver update that removes disabled keylogger
Article Name
HP releases Synaptics driver update that removes disabled keylogger
HP released updates for Synaptics touchpad drivers recently for HP notebooks that removes a disabled keylogger from the driver.
Ghacks Technology News

Tutorials & Tips

Previous Post: «
Next Post: «


  1. Rush said on December 12, 2017 at 3:34 pm

    When I bought a second laptop a year ago,HP… it had Win10 on it…I experimented and had a look around. I soon noted the Synaptic program, and after a bit of research, I observed the program was not essential to the system. I stopped and disabled the program in services. A couple of days later, I noted it running in task manger. It was back. I wiped then installed Win8.1 (I as planning to anyway)and the program has not returned.

  2. gruntas said on December 12, 2017 at 11:26 am

    Anyone has found out which drivers distributed through Windows Update(not HP) solve this issue?

  3. hoho said on December 12, 2017 at 7:38 am

    Those who keep scolding the Chinese and Russian companies should open their fxxxing eyes on what now your great US companies are keep spying and, shutup.

  4. I'd like to interject here said on December 11, 2017 at 6:05 pm

    This is a proprietary driver.
    For a proprietary OS.

    Debian has xserver-xorg-input-synaptics with it’s own rules , stricter than Windows where services run with system privileges.

    You are User or Admin, but System is above in terms of power.

    Use Open Source FOSS GNU/Linux for complete freedom.

  5. 3N0x said on December 11, 2017 at 5:50 pm

    Do Not believe
    Uncle Sam who claims that
    *only* Kaspersky is evil…


  6. bugsy said on December 11, 2017 at 3:23 am

    This is only for Win drivers? Linux user with HP notebooks not effected?

  7. Corporate Death said on December 10, 2017 at 5:51 pm

    Synaptics drivers are on every single laptop I own. A huge backdooring effort by some THREE LETTER AGENCY for you to be spied upon.

    1. seeprime said on December 10, 2017 at 8:15 pm

      Not every backdoor is installed as a for to the NSA or FBI. I suspect most are done to gather data to aid in targeted advertising efforts, both by the OEM and by selling the collected data to others.

      1. -=Agent Smith=- said on December 11, 2017 at 5:54 pm

        Not every backdoor is NSA. Right, so let’s imagine this is NOT such case:

        OEM and HP have some advertising efforts. OK, that means they want to fingerprint your PC. This means a connection every time the PC is online, as any cloud AV.

        But this case is different. A backdoored service like this SYNAPTICS one means that, once activated, it logs your keyboard typing and stores/sends the content. That’s far from malvertising. That’s worst, we are in THREE LETTER AGENCIES afforts here.

      2. N$A Luvs U said on December 11, 2017 at 1:00 am

        HP is a US government contractor for the “intelligence community” and the military. If you think this is another conspiracy theory Google “HP federal contracts” yourself. Google heh… another arm of the CIA. When are people going to wake up? The global “police state” is real, all the major governments are spying on you, but it is primarily US tech companies that are getting away with completely illegal mass spying.

  8. Anonymous said on December 10, 2017 at 5:27 pm

    The timeline seems odd:

    1) 12/08/17: News articles appear on Bleeping Computer and other sites
    2) 11/07/17: HP security bulletin c05827409 at https://support.hp.com/us-en/document/c05827409 is released
    3) 08/25/17: Release date for sp81891 fix (the most common SoftPaq fix for this issue)

    Is this due to responsible disclosure? When was the problem first reported to (or discovered by) HP?

    Also, the “Fix and enhancements” section for the sp81891 driver simply states “Provides the latest update.” For example:

    1) Go to https://support.hp.com/us-en/
    2) Search on a product name (e.g., 17-p000)
    3) Click on Software and Drivers
    4) Click on the “Click here” link to view all available drivers for this product
    5) Expand the Driver-Keyboard, Mouse and Input devices category
    6) Click on the entry for Synaptics TouchPad Driver Rev.A
    7) Click on Details

    Short of reverse engineering, is there any quick and easy way for mere mortals to verify that the keylogging code has actually been removed from the replacement SynTP.sys driver?

    1. Diff Man said on December 11, 2017 at 6:07 pm

      “diff” the old SynTP and the the new one. Enjoy the “diff”.

  9. T J said on December 10, 2017 at 4:35 pm

    T J

    I have an HP 250 G4. I downloaded the update from HP. It was shown as 181MB download. I started to download the update and, after three attempts, the downloads were 43,2, 46.3 and 44.6 MB. Out of curiosity, I tried to run the .exe files and Windows reported that all three were corrupted and aborted the install. So much for the fix !! :((

    NB I did a Registry Search and the following do NOT show in Regedit:


    1. Corporate Death said on December 10, 2017 at 5:53 pm

      Your browser has failed the download. I met the same issue with old versions of browsers which aren’t FIREFOX CHROME or OPERA. These ones seem to be the favourites by some sites to allow downloads. A bad idea to force the customer to update to a newest version.

      1. CW said on December 12, 2017 at 10:37 pm

        I tried it with Firefox Quantum 57.0 and the file doesn’t download on that either.

      2. Diff Man said on December 11, 2017 at 6:08 pm

        Hi T J. I had problems with FF ESR on sites like soundcloud.

      3. T J said on December 10, 2017 at 6:25 pm

        Hi Corporate Death. I am using FF 52.5 ESR and I have never had a download failure before. I forgot to mention that I left about 2 hours between the download attempts in case it was a hiccup on the HP Servers.
        I have logged a complaint with HP Support.
        Perhaps Father Christmas will deliver a fix :))

  10. Ben said on December 10, 2017 at 4:06 pm

    Do you automatically get the update through windows update?
    I recently had to manually force a driver update (via ms servers) for one device. But it was not offered with the normal (security) updates.

  11. archie said on December 10, 2017 at 3:56 pm

    I was not aware of this backdoor. Willingly infecting one’s products denotes an awful hostility towards one’s customers…

    When the infamous Sony rootkit was revealed -that was Sony infecting PC’s with audio CD from their record subsidiaries- my reaction was to start a Sony boycott that I still enforce today. Now that I am in the market for a new mobile PC, I will make certain to avoid this brand for this purchase and subsequent ones.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.