HP Says Keylogger Was Just Non-Disabled Debugging Tool, Updates Driver

News
By Steven Lynch
published

After it was revealed that an audio driver installed on several HP laptops contained a feature that secretly recorded every keystroke entered into the computer, we reached out to HP for comment and were informed by a member of the company’s crisis communications team that a new audio driver is now available with the keylogging feature removed.

Although the release notes for the updated Conexant HD audio driver dated May 14th simply state "provides update for audio issue,"  digging deeper we found a security bulletin that appears to address the issue directly listing the security impact as "potential, local loss of confidentiality."

According to the company, the keylogging feature was in fact a debugging tool that was simply not disabled prior to product launch.

From the security bulletin:

A potential security vulnerability caused by a local debugging capability that was not disabled prior to product launch has been identified with certain versions of Conexant HD Audio Drivers on HP products. HP has no access to customer data as a result of this issue.

A list of almost 90 affected desktop / laptop systems can be found here. The updated Conexant HD audio driver can be downloaded here.

Steven Lynch
14 Comments Comment from the forums
  • captaincharisma
    HP's PR is just as bad as their computers lol
    Reply
  • Alex-Nigma
    As a programmer with 7 years under my belt I cannot come up with ANY necessity to have a key-logger as a debugging tool in audio drivers. Any ideas?
    Reply
  • Robert Pankiw
    @Alex-Nigma Sure, if the keyboard is used to affect audio settings (FN keys) then it would make some sense that they want to review all keys pressed and how that affected the audio, especially if they used non-standard keys for at least one model, and wanted to have a single, unified driver but didn't want the non-standard keys to affect computers that didn't implement it.
    Reply
  • Mister-S
    Yeah, sure it was. I believe you HP, (NOT)!!!
    Reply
  • Travisty2
    I do totally believe this. Though I assume this is done in C so some lazy programmer forgot to put in pre-compiler statements around the key logger.
    Bad for the team too to have missed it in code review.
    Reply
  • mrmez
    I hate the litigious reputation Americans have, but when the hell are people going to start suing companies for stuff like this?

    Fking with their cash is the only way you'll hold them to any form of standard or accountability.
    Right now they just shrug their shoulders and give you the finger.
    Reply
  • spentshells
    Right.......
    Reply
  • derekullo
    John: Ted remember to remove that keylogger we were using for testing from that HP audio driver.

    Ted: Sure, as soon as I find where the hot pockets are.

    "Ted frantically searches for 5 minutes before finding his beloved hot pockets"

    "Ted tosses his hot pockets into the microwave and pushes the hot pockets button"

    "Ted eats his tasty hot pockets"

    Ted: What was John saying I had to do?

    Ted: Meh, never-mind probably wasn't important
    Reply
  • eviling
    Why on earth is the debugging tool sent out along with the driver?
    Reply
  • captaincharisma
    19695492 said:
    I hate the litigious reputation Americans have, but when the hell are people going to start suing companies for stuff like this?

    Fking with their cash is the only way you'll hold them to any form of standard or accountability.
    Right now they just shrug their shoulders and give you the finger.

    lol American's sue over the most humorous thing like if there phone gets a sctratch. nobody sue's HP because everyone knows to stay away from them

    Reply