It's just a feature —

Laptop touchpad driver included extra feature: a keylogger

Researcher finds logger, turned off by default, could be turned on with a registry change.

\
\
Valentina Palladino

Flaws in software often offer a potential path for attackers to install malicious software, but you wouldn't necessarily expect a hardware vendor to include potentially malicious software built right into its device drivers. But that's exactly what a security researcher found while poking around the internals of a driver for a touchpad commonly used on HP notebook computers—a keystroke logger that could be turned on with a simple change to its configuration in the Windows registry.

The logger, which could potentially be leveraged by an attacker or malware to harvest login credentials and other data, was discovered by security reasearcher Michael Myng (also known as ZwClose) lurking within driver software for Synaptics touchpads—used by hundreds of HP and Compaq business and consumer notebook computer models, as well as many other Windows notebook computers from other manufacturers. Myng disclosed the discovery on his blog on December 7 after the problem was disclosed to HP.

The keylogger was apparently included for debugging during development and is disabled by default. However, a user or software with administrative privileges could activate the keylogger by making a registry change—potentially remotely using Windows Management Instrumentation (WMI) or PowerShell scripts. Once turned on, it captures keystrokes and generates a trace log file.

HP has acknowledged the keylogger's presence in a security notice on November 7, which included links to patched drivers for hundreds of HP and Compaq notebook computer models downloadable from the HP support website. In the security release, HP stated that the vulnerability "impacts all Synaptics OEM partners." The security release also asserted that neither HP nor Synaptics had gained access to customer data as a result of the keylogger.

For those who may feel they're suffering from déjà vu all over again, this is the second time this year that a keylogger has been found in an HP notebook driver: in May, it was an audio driver that was the suspect.

Channel Ars Technica