
Keylogger in Hewlett-Packard Audio Driver - ge0rg
https://www.modzero.ch/modlog/archives/2017/05/11/en_keylogger_in_hewlett-packard_audio_driver/index.html
======
userbinator
_Actually, the purpose of the software is to recognize whether a special key
has been pressed or released._

I'm doubtful of the utility of software like this. Every driver and
application seems to want to keep a persistent background process running, and
because of the natural inefficiency of software (this executable is ~2MB ---
why it needs to be this big, I'm not certain; from a brief inspection, all it
seems to be doing is controlling microphone mute/unmute), results in a huge
waste of resources and new computers which appear no more responsive and than
older ones.

However, to put the severity of this problem in perspective, from the
description this is not like a typical keylogger that sends keystrokes out to
some remote server; it only logs locally.

 _If you regularly make incremental backups of your hard-drive - whether in
the cloud or on an external hard-drive – a history of all keystrokes of the
last few years could probably be found in your backups._

There's going to be plenty of _other_ sensitive information in your backups,
which if you don't want others to read you would use encryption anyway, in
which case the point is rather moot.

 _Any process that is running in the current user-session and therefore able
to monitor debug messages, can capture keystrokes made by the user._

...or it could just monitor the keystrokes itself with SetWindowsHookEx() like
this process.

Thus, I think the correct reaction to this is more towards the "oops... that
wasn't a good idea" than "everybody panic!"

~~~
qeternity
> There's going to be plenty of other sensitive information in your backups,
> which if you don't want others to read you would use encryption anyway, in
> which case the point is rather moot.

This is a bit of a strawman. When you're backing things up, you know what
you're backing up and chose to do so. Here you'd be backing up things that you
didn't want to, or even worse, things you'd never want to be backed up anyway.
If someone gets into my backups, maybe they can see some family photos or
financial data...but they wouldn't otherwise be able to see all the porn
searches I do in incognito mode. With this, they could potentially access that
as well.

~~~
rapind
I think Windows actually has a built in "Backup Computer" feature, which AFAIK
is a complete image backup. Alot of the cloud backup products do entire
computer too (like Time Machine does for OSX). The convenience factor of a
system backup for a non-technical user (someone who struggles with
explorer.exe) is pretty great.

That being said, keylogging is just plain horrible and inexcusable. Passwords,
searches, private messages, etc. There's no way we should be cutting them
slack on this.

The worst part is, it's crapware like this that steers us towards the walled
app store model for PCs... and the loss of freedom that accompanies that.

Every time I hear of stuff like this I gain more respect for Stallman.

------
amluto
One thing I really like about Linux: random platform-specific hardware
features like the mic button or whatever this is are handled by an open source
"platform" driver in the kernel. These drivers expose a more or less uniform
interface to user code.

So, when I install Linux on a laptop, most or all of the weird laptop-specific
buttons just work without OEM crapware or runtime performance hits.

The downside, of course, is that you can't just download fresh crapware to
make your brand new laptop fully functional. I'll take that tradeoff.

~~~
cies
Well said. I have the same sentiment. Gimme Linux (or FreeBSD) and I stay
clear of your crapware, re-install my machine less often, and install a new
OS+apps much faster.

------
xroche
As a rule of thumb, you have:

    
    
      * Decent software companies terrible at making hardware
      * Decent hardware companies terrible at making software
    

I yet have to see one that does both correctly. Hardware manufacturers are
known to produce the worst code quality you can think of, badly designed,
poorly written, undocumented, insecure, bloated.

I have the feeling that the whole IoT problem is also related.

~~~
krylon
> Decent software companies terrible at making hardware

Not sure if one wants to count them as a decent software company, but
Microsoft is quite good at building keyboards, IMHO.

~~~
oblio
Their internal divisions might be all over the place regarding company
policies (see: Windows 10 as spyware :) ) and their insistence on keeping
strict backwards compatibility with sub-par products (DOS, basically) might be
debatable.

But their engineering these days is top notch. They might not be the best but
they're probably in the top 10% sofware companies regarding engineering
practices, IMO. If not higher.

~~~
wolfgke
> and their insistence on keeping strict backwards compatibility with sub-par
> products (DOS, basically) might be debatable.

All 64 bit versions of Windows can neither run DOS applications nor Win16
applications (I described the technical reason for this at
[https://news.ycombinator.com/item?id=14246521](https://news.ycombinator.com/item?id=14246521)).

~~~
oblio
While that's strictly true, there's a wider range of backwards compatibility
they're keeping.

See the whole Rust/Cargo problem on Windows. Windows files can't be named con,
aux, etc., because the Windows file systems are backwards compatible,
generationally, all the way to DOS, which didn't have subfolders initially and
which reserved those keywords for special files. Then as DOS added subfolders
it still kept that global restriction, then Windows adopted it... and here we
are today.

Windows is full of these things, a lot of them coming from DOS and more coming
from Win16 or even early Win32.

I know they broke backwards compatibility in the strict sense with Win64, but
apart from this not many situations where they did it come to mind. And even
for that, they only did it because the overall market for DOS/Win16 was tiny
at the point when they did it.

~~~
i336_
Concurrently occurring Creation -> Obsolescence produces overlap:

    
    
       DOS    Win3.1        Win95                Win10
      
       Creat.             Obsc.
       |---------App----------|
           |---App---|
                         |-----App-----|
      ~1980=========================================~2020
         |-----App-----|
                 |-------App-------|
                                |--------App-------->
    

(Okay, that looked a little better in my text editor.)

~~~
tracker1
Vista (or was it XP) introduced a new security model that made prior apps that
depended on a common install location being writable very interesting... They
still kind of worked, but data's actual location was then per-user.

Other than that, most windows software runs as it has for a fairly long time
now.

------
drinchev
> Actually, the purpose of the software is to recognize whether a special key
> has been pressed or released. Instead, however, the developer has introduced
> a number of diagnostic and debugging features to ensure that all keystrokes
> are either broadcasted through a debugging interface or written to a log
> file in a public directory on the hard-drive.

Looks like it's not intentional. Although really poor code-quality process I
would say.

~~~
wolfgke
> Looks like it's not intentional. Although really poor code-quality process I
> would say.

To quote from

>
> [https://en.wikipedia.org/w/index.php?title=Underhanded_C_Con...](https://en.wikipedia.org/w/index.php?title=Underhanded_C_Contest&oldid=773989999)

(emphasis by mine): "The Underhanded C Contest is a programming contest to
turn out code that is malicious, but passes a rigorous inspection, _and looks
like an honest mistake._ "

Do you really believe that Malory does not use practices that make the
security hole look like a mistake of a not-so-experienced programmer or an
internal debugging tool that was accidentally left in?

~~~
mijoharas
Sorry, what do you mean by "Malory" here? trying to google I only get
references to Malory Archer from Archer.

EDIT: Think I found it. The new M's name is Gareth Mallory[0]

[0]
[http://jamesbond.wikia.com/wiki/M_(Ralph_Fiennes)](http://jamesbond.wikia.com/wiki/M_\(Ralph_Fiennes\))

~~~
wolfgke
> Sorry, what do you mean by "Malory" here? trying to google I only get
> references to Malory Archer from Archer.

>
> [https://en.wikipedia.org/wiki/Alice_and_Bob](https://en.wikipedia.org/wiki/Alice_and_Bob)

"Mallory or (less commonly) Mallet: A malicious attacker."

Sorry I forgot one "l" in "Mal[l]ory".

~~~
mijoharas
Thanks! I was only aware of Alice, Bob and Eve, good to know there's a whole
cast of characters.

------
zollidia
I'm strangely not surprised with HP and their actions (in this case, a lack
there of). It reminds me of the Bose issue a year or so back with their
products.

And the impact in which HP is going to experience - is nothing. Most people
still to this day really don't care/understand on why this is a problem. They
just want to get a computer for school, General internet surfing or watch cat
videos. (Cat and Dog videos are quite interesting.)

~~~
DaiPlusPlus
HP got more flak for their "racist webcam" than this issue ever will, I
suspect.

(2009: [http://gizmodo.com/5431190/hp-face-tracking-webcams-dont-
rec...](http://gizmodo.com/5431190/hp-face-tracking-webcams-dont-recognize-
black-people) )

------
arca_vorago
I remember in the late 90's early 2000's when HP was embracing linux and open
source... and then they merged with Compaq and I've seen nothing but mistake
after mistake from them since.

I'm really tired of seeing companies positioned to make good things and better
the world get focused on quarter profits and short term thinking, because it
_always_ bites them in the ass eventually.

Mismanagement from the C level _up_ abounds.

------
snowpanda
I archived the HP page just in case:
[https://archive.fo/FjWUv](https://archive.fo/FjWUv)

------
doreox
> ...or it could just monitor the keystrokes itself with SetWindowsHookEx()
> like this process.

...which any AV will immediately flag. This allows malware to keylog in a much
less detectable way by piggybacking off trusted HP software

------
vfclists
This is one of the main reasons for libre/free/open/choose_your_term software.

Even when malice is not to be checked for, genuine error, incompetence,
forgetfulness or plain indifference must be checked for.

~~~
krylon
As much as I love Free Software, there have been plenty of examples of bugs
(security-relevant and otherwise) in FLOSS code that were just as problematic.

Source code being open for inspection only helps if people actually take the
time to _look_ at the code. OpenBSD deserves an honorable mention.

~~~
mikegerwitz
Proprietary software developers have little incentive aside from the
possibility of discovery to not take advantage of users. It's sometimes
difficult to determine whether it's malicious or not, and there's a greater
chance for plausible deniable---we don't know the story behind that code.

If an anti-feature is discovered in free software, it can be promptly removed
and replaced, regardless of whether the developers of the software consider it
to be an anti-feature. What if HP wants this to remain for
debugging/diagnostic purposes? There's little you can do about that. (I'm not
saying they do.)

The fact that free software can have bugs is an open source argument that
falls apart when the argument becomes "open source is better because of
technical advantage X".[0]

There are frequent arguments that the freedom of drivers isn't important---
mainly because it's inconvenient to use a system without non-free drivers and
requires purchasing replacement hardware to work around. This is an example
that maybe can help counter that point.

[0]: [https://www.gnu.org/philosophy/open-source-misses-the-
point....](https://www.gnu.org/philosophy/open-source-misses-the-point.html)

~~~
krylon
I do agree - wholeheartedly - with you that Free Software gives users control
over what their devices do. This is important. Control and _trust_ that your
devices do what they are supposed to do - no more, no less - are pretty much
impossible to establish without free software

My point was that if nobody bothers to look at the code, the bug will go
undetected. Think of how long the Heartbleed bug had been in OpenSSL before it
was discovered.

~~~
mikegerwitz
> My point was that if nobody bothers to look at the code, the bug will go
> undetected. Think of how long the Heartbleed bug had been in OpenSSL before
> it was discovered.

Yes, I agree. "Linus's Law", while it has some truth, is a flawed (and open
source) reasoning if considered absolute.

------
CodeSheikh
Is this an old article? Conexant was acquired by Philips a while back.

------
stanislavb
Wow. That's going to hit HP

~~~
romanovcode
Yeah, that's even worse than last years Lenovo fiasco.

~~~
egeozcan
I personally wouldn't compare these two incidents but just wanted to remind
you that the Lenovo incident was malicious by design. This one can, and most
likely will, be attributed to carelessness.

~~~
cyphax
The article suggests that as well, the way I read it:

"Actually, the purpose of the software is to recognize whether a special key
has been pressed or released. Instead, however, the developer has introduced a
number of diagnostic and debugging features to ensure that all keystrokes are
either broadcasted through a debugging interface or written to a log file in a
public directory on the hard-drive.

This type of debugging turns the audio driver effectively into a keylogging
spyware."

Carelessness sounds like a fairly reasonable explanation, simply applying
Hanlon's razor. :)

~~~
wolfgke
> Carelessness sounds like a fairly reasonable explanation, simply applying
> Hanlon's razor. :)

On the other hand: If you _do_ believe that there exist software on most
computers where a security hole has _deliberately_ left in (and since Snowden
you should), applying Occam's razor will tell you that it probably looks like
"innocent incompetence", since considering the typical software quality this
gives rather plausible deniability.

------
secfirstmd
"Neither HP Inc. nor Conexant Systems Inc. have responded to any contact
requests. Only HP Enterprise (HPE) refused any responsibility, and sought
contacts at HP Inc. through internal channels."

A keylogger and this is their response?

I hope they get the shit sued out of them.

------
donpdonp
MicBleed

------
donpark
googling "conexant keylogger" shows this is not a new problem.

~~~
digi_owl
Hmm, Conexant. I seem to recall battling their products back in the modem
days...

------
0xFFC
This is fucked up world we live in !

------
nailer
To fix the super-wide article:

    
    
        document.querySelector('.blogbody').setAttribute("style", "max-width:650px; margin: 0px auto;");

~~~
rahilwazir
Thanks, you will go far in life.

------
wereHamster
Please, use a max-width on text columns. The article is unreadable on a large
screen.

~~~
Aaargh20318
Only if you have your browser window maximised or very large, which kind of
defeats the purpose of a windowed multitasking OS.

~~~
wereHamster
You know, you can have more than one screen. And working wth visual/design/UI
tools you pretty much want to use as much of the screen as possible. Most of
the time I have a browser fullscreen on one of my screens.

~~~
Aaargh20318
> working wth visual/design/UI tools you pretty much want to use as much of
> the screen as possible.

Really? You maximise your content window ? Then where do you leave all your
tool-windows ? On a second monitor ? Do you only design widescreen content ?
Don't you think those white bars on the left/right of your content is a total
waste of screen real estate ?

