HP has issued security patches for more than 460 models of the company's laptops and thin clients to address a hidden keylogger present in the Synaptics touchpad drivers. Discovered by security researcher Michael Myng while delving into the Synaptics Touchpad Software in an attempt to change the backlight behavior of the keyboard, the keylogger was reportedly built into the software stack to debug errors. While it shipped to customers disabled by default, an attacker that was able to achieve administrative privileges could change the appropriate registry value and enable keylogging to locally record all of the user's keystrokes without their knowledge. Further malicious code or local physical access could then be used to retrieve data for analysis of possible passwords, usernames, account numbers, and other personal information.
Image courtesy Robbert van der Steeg via Flickr Creative Commons
HP claims in its security bulletin that at no time did it or Synaptics have access to customer data and that this security vulnerability is a "local loss of confidentiality" and should be acted upon as soon as possible by downloading the security patch for your laptop from HP or by running Windows Update.
According to the HP security bulletin, the vulnerability reportedly affects all Synaptics OEM partners including HP that have shipped systems with certain Synaptics Touchpad driver versions. In the case of HP this includes commercial / enterprise notebooks, tablets, thin clients, and mobile workstations from their G2, G4, G6, Elite X2, EliteBook, Thin Client, ProBook, Spectre Pro, Stream, X360, and ZBook Mobile Workstation series and consumer devices with Compaq, Beats, ENVY, OMEN, Pavilion, Spectre, Split, Stream, and even the 15" Star Wars Special Edition laptop!
While this is a serious security risk, there is no need to panic. You should apply the patch manually or through Windows Update as soon as possible, but so long as you have been and continue to follow security best practices (strong passwords, running anti-virus and anti-malware scans regularly, restricting physical access, and not running as administrator on your daily driver user account, ect) you should be safe as there are several steps that would need to be completed before an attacker could take advantage of this hidden keylogger, especially remotely.
You can find the full list of affected laptops and their associated security patches on HP's support website. For a PGP signed version of the page you can email hp-security-alert@hp.com.
This requires local code
This requires local code execution to enable and to access the debug log it creates. So, for this to effect you, the attacker already has to have code running on your system. Which means you’re already pw0ned. This bug, at best, means that monitoring keystrokes might be slightly easier than hooking the kernel would have been.
Yawn.
If only the OS had a method
If only the OS had a method that could list/monitor all the processes that have hooks(registered keyboard event delegates) into the OS’s keyboard functionality and allow users to monitor which processes are logging all the keyboard keystrokes and not allow any backdoors via the keyboard/other device drivers.
This all has to do with that OEM customized Keyboard function key servicing and Microsoft should have standardized that in a more secure OS managed way that required all drivers/software to ask the OS via some heavily protected system calls that only allow for the actual needed function keys to raise/pass standardized keyboard events via the OS that are then passed on to the applications. In other words the OS code would be the only code allowed to directly interface with the keyboard events and any software that needed to have function key services would never be allowed event driven access to the other unneeded key events/mappings.
The current methods with all these direct hooks into the kernel code needs to have some serious sandboxing/abstraction and really only Office/word processing and some Graphics/Gaming/Etc.(lots of keyboard short cuts) applications are needing full access to the keyboard with most other software only needing at most some function key, mouse and limited keyboard key event access. And any programms/processes running in debug mode and/or generating/accessing UI event logs should be highlighted in the Task Manager in Red so users could see which programs may be abusing any debug mode system resources or UI functionality.
Really any keyboard logging services should be made via indirect OS system calls and the OS in full control of the log files with the OS purging the logs after a very limited amount of time. Windows is such a huge mess of weak links where system calls are concerned. Windows after the NT kernel is a networked based OS with even the local hardware resources treated as networked resources. The Windows registry, file/program permissions, and networking are all parts of the dark arts with really very little in the way of OS runtime monitoring of programms/services/networking outside of the powershell.
And windows 10 has only just recently enabled the task manager to monitor GPU activity. And Internet Browsers need some script monitoring/management functionality that is similar to the windows task manager because Internet Browsers are little OS like subsystems unto themselvs with all the process activity that they spawn. So users need some Very fine grained Browser parent to child processs generated task management functionality with running scrpts and webpage generated networking connections able to be managed in a GUI based Browser/Task manager like manner inside the Browser as that’s very similar to an OS running within an OS sort of virtual environment.
Windows also needs a secure Password entry base class library where the OS ONLY has access to any UI elements for entering hidden passwords. With no keyboard events passed outside of the protected OS mode while the password is being registered/entered and a encrypted password key is generated. So the keyboard hardware is restricted from any other user mode keyboard related event passing until that process is completed when that password entry process has system focus.
Key-logging is always going to be a problem but the OS and hardware needs some form of hardware/OS protected mode when passwords are being generated and passed along and that requires plenty of hiding on windows with its always on networking mode OS/API/application ecosystem.
HP needs better QA/QC and security auditing of its hardware partners’ Hardware/Drivers/Middleware/Software and that’s just sloppy management on HP Inc’s part.
A computer’s OS UI keyboard/other UI related hardware/drivers needs some from of encrypted event passing where one process’s UI communication is fully encrypted from any other processes UI communication via the keyboard/other UI related hardware/drivers. Most people do not realise that their devices are all running these modern multi-user, multi-tasking, and fully networked based OSs that are very complex to manage and secure relative to the single user OS based systems of the past.
sometimes such complex code
sometimes such complex code execution requires a msp expertise. comodo one is the one am trying to go for..