Early in December 2017, security Michael Myng posted to his GitHub-hosted blog about a potentially major vulnerability he stumbled across while testing out the Synaptics Touchpad keyboard driver for Hewlett Packard’s notebook models. While looking at said driver (SynTP.sys), his attention was caught by some peculiar coding. Investigating further, he discovered a leftover keylogger that could use Windows software trace preprocessor (WPP) tracing to collect past keystrokes. Though the bug would technically require administrator access to be exploited, there are reportedly several ways to bypass this and use the affected driver to spy on users.
Myng brought this to the attention of HP, who responded immediately and revealed that it was a leftover debugging tool. They released updates addressing the vulnerability and a statement explaining the situation, as well as a list of potentially affected products. Synaptics Incorporate also put out a statement, though theirs’ focuses more on emphasizing that this is a standard debugging tool that was never meant to be a keylogger, and that this is a relatively low risk according to contemporary security standards.
This is the second time in a year that HP products were found with hidden keylogging software, the earlier instance occurring in May. A Swiss cybersecurity firm revealed they had discovered a keylogger buried in an audio driver package. The firm made serious accusations about the presence of the potentially malicious software and a supposed lack of a response from HP and the third-party developer who made the driver, though HP did release a statement and an update shortly after the public revelation.
Keyloggers such as these are typically used by software developers to check for any bugs that might appear in driver files. Collecting keystrokes enables them to identify these potential glitches more easily. Ironically, in at least the most recent case this debugging software was forgotten about and left behind in several products dating as far back as 2012.
If you are using a HP portable computing device (laptop, notebook, etc.) from the affected date range, then check your C:\Windows\System32\drivers folder and look at the Properties of the SynTP.sys driver file. Under “Product version,” if you find 18.104.22.168 16Aug16, then your machine may be vulnerable. Contact us to conduct an in-depth scan of your network to see if it has been compromised.