Tag Archives: HP

HP audio driver contained keylogger

Late last week it was announced the security firm Swiss security firm ModZero had responsibly disclosed (defined) to HP back in early April 2017 their discovery of an audio driver (Conexant HD Audio) containing a keylogger. The driver is known to be present on 28 HP devices (listed here).

Conexant also creates drivers to Asus, Lenovo and Dell, at this time it is not clear if they use the same driver (security analysts have been unable to discover any other devices using the affected driver).

How can I tell if my HP (or other device) is affected by this vulnerability?
This BleepingComputer article explains how to check for this vulnerability.

Why should this vulnerability be considered important?
The affected audio driver (versions 1.0.0.31 up to and including 1.0.0.46) contained the issue with the issue first being created in December 2015. Thus it has the potential to have gathered a vast quantity of information since this time.

Not only does the driver record key presses (using a low-level keyboard input hook (defined)) but the driver exposes the OutputDebugString and MapViewOfFile APIs (API, defined). The OutputDebugString API enables any running application to capture keystrokes while MapViewOfFile enables any framework or application with access to MapViewOfFile API to do the same.

Since the unencrypted keystrokes are stored in a text file, forensic investigators with access to the log file (stored at C:\Users\Public\MicTray.log) could potentially recover previously saved sensitive data (a reboot or power of the device clears the file). When backups of the affected systems are performed previous versions of this file would contain further captured (and potentially sensitive) information.

Since our keyboards are used to enter all kinds of sensitive information,  emails, chat/instant message conversations, social media posts, credit card numbers etc., this vulnerability could have serious consequences If the log contents were to be obtained by cyber criminals. The file might also contain credentials (usernames/passwords for the above mentioned activities.

From the information disclosed about this vulnerability, there is evidence to suggest the driver uploads/sends the information it gathers within that log to HP, Conexant or anyone else. However if you are creating unencrypted backups within a corporate, small business or consumer environment this file over time will contain more and more information gathered over time. If someone knew you create these backups and knew where to look within them (assuming they are not encrypted), they could gather significant volumes of sensitive information.

How can I protect myself from this vulnerability?
After ModZero disclosed this information to HP, HP made available a driver update (version 10.0.931.90) which removes the keylogging behavior. Moreover, the driver update will be made available via Windows Update for both 2016 and 2015 HP devices. HP Vice President Mike Nash clarified the logging feature of the driver was simply debugging code (defined) inadvertently left within the driver.

If you followed the steps above to check if your device was vulnerable but there is no driver update available, the same BleepingComputer article describes how to mitigate the vulnerability.

Thank you.

HP Adds Security Features To Enterprise Printer Firmware

Earlier this week HP announced that their range of enterprise class LaserJet printers would include security features to better secure them against external attacks.

The printer models that include these features are the following:

  • HP LaserJet Enterprise M506 series
  • HP LaserJet Enterprise MFP M527 series
  • HP Color LaserJet Enterprise MFP M577 series

In addition, printers manufactured since 2011 should be able to benefit from some of the new security enhancements via a HP FutureSmart service pack update.

The security improvements enable the printers to defend against having their BIOS (defined) updated with a maliciously tampered version. In addition, only known good firmware can be executed (allowed to run/function). Moreover the printers feature a runtime intrusion detection system that prevents malware from being loaded into the printer’s memory.

Such printers can also take advantage of HP JetAdvantage Security Manager software that allows the IT administrator to enforce a security policy to allow them to disable unused access protocols (reducing the possibility of external attack), closing networking ports and erasing documents stored within the printers memory/hard disk to maintain confidentiality. When a printer is rebooted, all of the settings specified within the security policy will be enforced returning the printer to a known good and compliant state.

More information on these new printer models is available here and here. A link to the firmware updates for older printer models is provided above.

These security enhancements should enhance an enterprise’s security posture by preventing confidential documents from leaving the organization via networked printers or from malware installed on the printer capturing documents sent for printing or stored in the printer’s hard disk or memory. According to HP they are currently the only printer manufacturer to offer these security features but other manufacturers will likely follow suit. These features will make a worthwhile addition to have if you are considering replacing/upgrading your enterprise printer in the future.

Thank you.