
HP laptops found to have hidden keylogger - nef
http://www.bbc.co.uk/news/technology-42309371
======
esnard
Previous discussion:
[https://news.ycombinator.com/item?id=15885206](https://news.ycombinator.com/item?id=15885206)

------
jchw
So... This has ballooned from debug code with no evidence of ever being
maliciously used to "loss of confidentiality" and now instead of being a
keylogger it's a "hidden keylogger."

Dramatic tone change for no actual new news. Sure this is getting the person's
blog attention, but now I'm certain I don't agree with the alarmist title of
the original post.

~~~
kbutler
And the assertion that "an attacker with access to the computer could have
enabled it to record what a user was typing" is somewhat silly.

If the attacker has access to the computer, why not install some other key
logger that would send info to the attacker's site?

~~~
Someone1234
Claiming that an attacker would use this is nonsensical.

You need write access HKLM in order to change the registry key, if you have
write access to HKLM you can inject your own driver (inc. keylogger) into the
OS.

Plus the keypresses are context-less (i.e. you don't know what application, or
window the keypress was sent to). A continuous stream of keypresses with no
context is darn near useless, it doesn't even contain timestamps!

Any number of off-the-shelf keyloggers would do a far better job, all of which
can be auto-loaded if you have HKLM write access. They'll even tell you the
exact web page a keypress was sent to and manage the job of sending that
information to you...

~~~
_Codemonkeyism
www.facebook.com<return> stephan<tab>123abc

doesn't seem useless to me.

~~~
skocznymroczny
A person that knows that you can use tab to jump between form fields probably
uses a password manager anyway.

------
seanwilson
"He said the keylogger was disabled by default, but an attacker with access to
the computer could have enabled it to record what a user was typing.

According to HP, it was originally built into the Synaptics software to help
debug errors."

How bad is this really then? If an attacker could enable it, they could
install another key logger anyway if this feature didn't exist? Can HP enable
it remotely (I'm guessing not)?

~~~
Someone1234
Exactly. You need administrator to enable this, and you need administrator to
install a different keylogger. So then the question becomes: Why use this?
Well, an attacker wouldn't but the press doesn't know anything about tech' so,
this fact escapes them. This is like science reporting all over again...

If you have HP's update agent installed, HP are able to install drivers, so
all bets are off as far as what HP could do to your machine. They could enable
this via the update agent, but even assuming worst motivations there are a
tens of better commercial keyloggers HP would use before this.

This debug functionality likely shouldn't be shipping in retail versions of
the driver (defence in depth, etc) and should be removed. But there's a ton of
misinformation surrounding this bug which is frustrating, the actual security
community are already bored of this one.

~~~
gruez
>you need administrator to install a different keylogger

nope. you need administrator if you want to install for all users, but there's
nothing preventing a user from keylogging himself.

~~~
Someone1234
You need write access to:

HKLM\Software\Synaptics\%ProductName%\Default

Which requires administrator or equivalent, so that is preventing a user from
even keylogging themselves.

~~~
gruez
i meant you can install any other keylogger without admin.

------
donatj
Less of a big deal than they’re trying to make it out to be, it’s disabled by
default and a leftover debugging tool.

~~~
mtgx
Twice in the same year?

[http://www.tomshardware.com/news/hp-keylogger-debugging-
tool...](http://www.tomshardware.com/news/hp-keylogger-debugging-tool-driver-
update,34418.html)

How many of these "debugging tools" has HP left enabled, I wonder?

~~~
moreless
It's not enabled. And someone with access to your computer can just install
their own keylogger anyway, so why is this even a security threat?

~~~
jbb67
Well we didn't know it was there at all not long ago. How sure can we be now
that there is no hidden remote way to turn it on?

~~~
openasocket
That's not a valid form of reasoning. Just because we didn't know about
something before isn't an excuse to make random assumptions.

------
13of40
There are key loggers and Key Loggers. If you need admin rights to enable it
and it saves the keystrokes locally, then you probably shouldn't care. Anyone
with that level of access can install something worse.

~~~
caio1982
It still is a keylogger in a consumer product.

~~~
ballenf
So is Notepad.

~~~
bnegreve
Notepad runs in userland under the supervision of the kernel. This is a driver
and could be running in kernel mode. It could make a big difference.

Even if it's not malicious, I still think it is a rather serious professional
mistake to ship a driver containing potentially dangerous deadcode.

~~~
vertex-four
There's plenty of "rather serious professional mistakes" in whatever operating
system you happen to run in the first place - it's very rare that something
that doesn't affect security in any meaningful way gets the attention this
has.

------
djsumdog
At least with a PC, it's relatively easy to put in a fresh install, either
Windows or some other operating system, which everyone in tech should do
considering the recent HP/Lenovo issues (although I'm not sure if it would
help I this situation if this particular exploit was in the official drivers).

It's considerably harder with phones, with all of them running non standard,
non upstreamable kernels, and consumers not really having alternative OSes
like we do with PCs.

~~~
tga
Most PCs come without Windows installation media and instead rely on a restore
partition (keylogger included). If you try to install off random other media
(e.g. MSDN), it will not recognize the OEM license that comes with the
computer.

Because of this, there is no trivial way (edit: OK, without buying Windows
again) to get a vanilla install including only the Microsoft keylogger, but
not the HP one.

~~~
pnutjam
Not true, you can reinstall the same version and it will pick up the licensing
from the BIOS. You can even extract the key from the BIOS to use on a VM (same
hardware) if your running linux.

It's even very easy to get the install media direct from Windows, not like
back in XP days.

[https://www.microsoft.com/en-us/software-
download/windows10I...](https://www.microsoft.com/en-us/software-
download/windows10ISO)

~~~
tga
Thanks, this used to be an issue at least Windows 8. I'm happily surprised if
it's now as easy as downloading the ISO from Microsoft and reinstalling it on
an OEM machine.

------
oeuviz
Just makes me support OSS drivers more. Imagine what damage could be done with
hidden code in GPU drivers nowadays.

------
mtgx
In related news:

[https://www.engadget.com/2017/11/28/hp-quietly-installs-
syst...](https://www.engadget.com/2017/11/28/hp-quietly-installs-system-
slowing-spyware-on-its-pcs/)

------
muxator
To me, this is one more reason to never use the default install of an
operating system.

In this specific case, if the debugging "leftovers" were part of the official
drivers, then I would say there is a good indication towards preferring a free
OS.

------
swarnie_
Is this old news? I remember an audio driver (maybe?) causing a similar issue
6-9 months ago.

I worked for a HP reseller at the time and could replication the issue on
almost every model in our labs

------
loerres
Well, Synaptics Touchpad Drivers always sucked. "Windows Precision Touchpad"
is pretty good but not quite on Apples level.

------
tonylemesmer
previous
[https://news.ycombinator.com/item?id=14314795](https://news.ycombinator.com/item?id=14314795)

------
ryanlol
Why does _obvious_ bullshit like this get so much visibility?

Why not "Windows found to have hidden keylogger", it also ships with
functionality that allows you to capture keystrokes if you so insist?

