Have you bought a HP Notebook, Tablet or Workstation recently? Would it upset you to know it may be silently recording every keystroke. According to Swiss infosec firm ModZero, this is actually happening to a select group of HP Computer (list of effected devices below)

According to a ModZero blog post, HP’s update to it’s audio drivers released in 2015 introduced some new diagnostic features. However unannounced to their customers, it seems the features were poorly implemented, seeing as the driver ultimately acts like a keylogger, capturing every single key-press.

It’s fine though, HP must of rectified the huge security concern? Unfortunately not the case here, a later update to the driver introduced further functionality that writes every single key-press to a log file stored on the user’s system.

Although it is important to be aware that this logfile wipes every time you logout of your system, but as stated by ModZero, if you’ve got any kind of incremental backup system in place, there may well be a permanent record of everything you have typed.

ModZero recommends that all users of HP computers, check whether the program C:\Windows\System32\MicTray64 exists on their machine, in addition to deleting the MicTray log file C:\Users\Public\MicTray.log , as it may contain sensitive information, like passwords,login credentials and banking information.

The blog post also highlighted that at this time there is no evidence showing that this keylogger was intentionally implemented. Rather severe negligence from the developers.

Temporary Fix:

To stop the process from running: (Credit to _My_Angry_Account_ a user on reddit)

Start the Registry Editor (regedit). In the Registry Editor, go to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\currentversion\image file execution options. Right click on image file execution options > New > Key Name the new key MicTray.exe Right click new MicTray.exe key > New > String value Name the new value debugger Set new “debugger” string value data to: devenv /debugexe It forces any .exe file named MicTray or MicTray64 to go through a debugger and this causes it to fail. If you are running Windows 64-bit then steps 4 and 5 should be: 4. Name the new key MicTray64.exe 5. Right click new MicTray64.exe key > New > String value To check your version of Windows the shortcut is to hold down your Windows Key and press Pause (Break) or in Windows 8.1 and 10 you can right click on the start button and click on System. In previous versions you can right click on Computer or My Computer and click on Properties to find out what version of Windows you are running. Current List of effected machines: HP EliteBook 820 G3 Notebook PC

HP EliteBook 828 G3 Notebook PC

HP EliteBook 840 G3 Notebook PC

HP EliteBook 848 G3 Notebook PC

HP EliteBook 850 G3 Notebook PC

HP ProBook 640 G2 Notebook PC

HP ProBook 650 G2 Notebook PC

HP ProBook 645 G2 Notebook PC

HP ProBook 655 G2 Notebook PC

HP ProBook 450 G3 Notebook PC

HP ProBook 430 G3 Notebook PC

HP ProBook 440 G3 Notebook PC

HP ProBook 446 G3 Notebook PC

HP ProBook 470 G3 Notebook PC

HP ProBook 455 G3 Notebook PC

HP EliteBook 725 G3 Notebook PC

HP EliteBook 745 G3 Notebook PC

HP EliteBook 755 G3 Notebook PC

HP EliteBook 1030 G1 Notebook PC

HP ZBook 15u G3 Mobile Workstation

HP Elite x2 1012 G1 Tablet

HP Elite x2 1012 G1 with Travel Keyboard

HP Elite x2 1012 G1 Advanced Keyboard

HP EliteBook Folio 1040 G3 Notebook PC

HP ZBook 17 G3 Mobile Workstation

HP ZBook 15 G3 Mobile Workstation

HP ZBook Studio G3 Mobile Workstation

HP EliteBook Folio G1 Notebook PC

Thanks for reading – feel free to follow and stay updated 🙂 View sysadminguides’s profile on Facebook View GuidesSysadmin’s profile on Twitter View 115372466162675927272’s profile on Google+