HP releases Synaptics driver update that removes disabled keylogger
HP released updates for Synaptics touchpad drivers recently for HP notebooks that removes a disabled keylogger from the driver.
Again, HP? A security researcher disclosed on GitHub that he discovered a keylogger in the keyboard driver of HP notebooks. While deactivated by default, anyone with elevated access to the machine could enable the logging of keyboard input by setting Registry values.
The discovery happened by accident according to the researcher as he was analyzing the keyboard driver to find out how the keyboard's backlit was controlled. A check in IDA, a cross-platform disassembler and debugger revealed a format string for a keylogger. Further analysis confirmed the assumption, and that the keylogger was not active by default.
It did however check locations in the Registry, and the researcher assumed that the correct values would activate the keylogger on the device. Assumed, because it was not possible to test the theory without a HP notebook that had the driver installed.
The Registry locations are:
- HKLM\Software\Synaptics\SynTP
- HKLM\Software\Synaptics\SynTP\Default
- HKLM\Software\Synaptics\PointerPort
- HKLM\Software\Synaptics\PointerPort\Default
HP did confirm the issue when contacted about it though and stated that it was a debug trace. The company released a list of affected notebooks and driver updates for these notebooks that resolve the issue by removing the trace from the driver.
HP customers who use one of the affected notebooks are asked to download the updated driver and install it on machines affected by the issue. The HP support page lists business and consumer notebooks affected by the issue.
Affected notebooks include HP G4, G5 and G6 devices, EliteBook and Elitebook Folio devices, HP mt* thin clients, HP ProBook laptops , HP zBook mobile workstations, various Compaq notebooks, HP 15* and HP17* notebooks, HP ENVY devices, and HP Pavilion and Omen devices.
Basically, if you own a HP notebook or use one at work, search for it on the HP support page to find out if a driver update for it is available.
According to the researcher, the update is also distributed via Windows Update.
This is not the first issue of its kind that HP had to deal with this year. In April, researchers discovered a vulnerability in HP audio drivers that recorded all keystrokes made by the user and reacted to functions concerning the microphone, and dumped the data in a publicly accessible folder in the file C:\Users\Public\MicTray.log.
HP has been in the news last month as well when customers of HP products started to report signs of a Telemetry service.
Closing Words
I'm not sure what to make of all of this. It is bad quality controlling over at HP that is causing all these issues? (via Born)
Now You: Are you affected by the issue? What's your take on this?
When I bought a second laptop a year ago,HP… it had Win10 on it…I experimented and had a look around. I soon noted the Synaptic program, and after a bit of research, I observed the program was not essential to the system. I stopped and disabled the program in services. A couple of days later, I noted it running in task manger. It was back. I wiped then installed Win8.1 (I as planning to anyway)and the program has not returned.
Anyone has found out which drivers distributed through Windows Update(not HP) solve this issue?
Those who keep scolding the Chinese and Russian companies should open their fxxxing eyes on what now your great US companies are keep spying and, shutup.
This is a proprietary driver.
For a proprietary OS.
Debian has xserver-xorg-input-synaptics with it’s own rules , stricter than Windows where services run with system privileges.
You are User or Admin, but System is above in terms of power.
Use Open Source FOSS GNU/Linux for complete freedom.
Do Not believe
Uncle Sam who claims that
*only* Kaspersky is evil…
:)
This is only for Win drivers? Linux user with HP notebooks not effected?
Synaptics drivers are on every single laptop I own. A huge backdooring effort by some THREE LETTER AGENCY for you to be spied upon.
Not every backdoor is installed as a for to the NSA or FBI. I suspect most are done to gather data to aid in targeted advertising efforts, both by the OEM and by selling the collected data to others.
Not every backdoor is NSA. Right, so let’s imagine this is NOT such case:
OEM and HP have some advertising efforts. OK, that means they want to fingerprint your PC. This means a connection every time the PC is online, as any cloud AV.
But this case is different. A backdoored service like this SYNAPTICS one means that, once activated, it logs your keyboard typing and stores/sends the content. That’s far from malvertising. That’s worst, we are in THREE LETTER AGENCIES afforts here.
HP is a US government contractor for the “intelligence community” and the military. If you think this is another conspiracy theory Google “HP federal contracts” yourself. Google heh… another arm of the CIA. When are people going to wake up? The global “police state” is real, all the major governments are spying on you, but it is primarily US tech companies that are getting away with completely illegal mass spying.
The timeline seems odd:
1) 12/08/17: News articles appear on Bleeping Computer and other sites
2) 11/07/17: HP security bulletin c05827409 at https://support.hp.com/us-en/document/c05827409 is released
3) 08/25/17: Release date for sp81891 fix (the most common SoftPaq fix for this issue)
Is this due to responsible disclosure? When was the problem first reported to (or discovered by) HP?
Also, the “Fix and enhancements” section for the sp81891 driver simply states “Provides the latest update.” For example:
1) Go to https://support.hp.com/us-en/
2) Search on a product name (e.g., 17-p000)
3) Click on Software and Drivers
4) Click on the “Click here” link to view all available drivers for this product
5) Expand the Driver-Keyboard, Mouse and Input devices category
6) Click on the entry for Synaptics TouchPad Driver 19.3.31.31 Rev.A
7) Click on Details
Short of reverse engineering, is there any quick and easy way for mere mortals to verify that the keylogging code has actually been removed from the replacement SynTP.sys driver?
“diff” the old SynTP and the the new one. Enjoy the “diff”.
T J
I have an HP 250 G4. I downloaded the update from HP. It was shown as 181MB download. I started to download the update and, after three attempts, the downloads were 43,2, 46.3 and 44.6 MB. Out of curiosity, I tried to run the .exe files and Windows reported that all three were corrupted and aborted the install. So much for the fix !! :((
NB I did a Registry Search and the following do NOT show in Regedit:
HKLM\Software\Synaptics\PointerPort
HKLM\Software\Synaptics\PointerPort\Default
Your browser has failed the download. I met the same issue with old versions of browsers which aren’t FIREFOX CHROME or OPERA. These ones seem to be the favourites by some sites to allow downloads. A bad idea to force the customer to update to a newest version.
I tried it with Firefox Quantum 57.0 and the file doesn’t download on that either.
Hi T J. I had problems with FF ESR on sites like soundcloud.
Hi Corporate Death. I am using FF 52.5 ESR and I have never had a download failure before. I forgot to mention that I left about 2 hours between the download attempts in case it was a hiccup on the HP Servers.
I have logged a complaint with HP Support.
Perhaps Father Christmas will deliver a fix :))
Do you automatically get the update through windows update?
I recently had to manually force a driver update (via ms servers) for one device. But it was not offered with the normal (security) updates.
I was not aware of this backdoor. Willingly infecting one’s products denotes an awful hostility towards one’s customers…
When the infamous Sony rootkit was revealed -that was Sony infecting PC’s with audio CD from their record subsidiaries- my reaction was to start a Sony boycott that I still enforce today. Now that I am in the market for a new mobile PC, I will make certain to avoid this brand for this purchase and subsequent ones.