HP Laptops are secretly recording users' keystrokes - Sensationalist Headlines

(and storing them in a plaintext file) [quote]Security researchers have discovered that a feature installed in a number of HP laptops is recording all of the keystrokes that the laptop users make. In capturing everything users press on their keyboards the software is recording sensitive information, and by saving that information in an easily accessible file the researchers claim that it is potentially exposing users' passwords to attackers. According to the Swiss cybersecurity group behind the research, Modzero, the feature wasn't designed to spy on users - but it was implemented in such a way that it records everything users type. This means that from the moment a user logs into Windows on affected HP laptops, every key they press, including to enter passphrases for online banking and email accounts, is recorded and stored. The security firm claims that this "leads to a high risk of leaking sensitive user input". "Users are not aware that every keystroke made while entering sensitive information - such as passphrases (or) passwords on local or remote systems - are captured by (the software)," the security advisory continued. The researchers complained that they first reported the issue to HP on 28 April, but decided to publish their security advisory yesterday because HP had failed to respond to them. Speaking to Sky News, a spokesperson for HP said the company was "aware of the keylogger issue on select HP PCs." HP told Sky News: "Our supplier partner developed software to test audio functionality prior to product launch and it should not have been included in the final shipped version. Fixes will be available shortly via HP.com."[/quote] Affected laptops: [quote]HARDWARE PRODUCT MODEL(S): HP EliteBook 820 G3 Notebook PC HP EliteBook 828 G3 Notebook PC HP EliteBook 840 G3 Notebook PC HP EliteBook 848 G3 Notebook PC HP EliteBook 850 G3 Notebook PC HP ProBook 640 G2 Notebook PC HP ProBook 650 G2 Notebook PC HP ProBook 645 G2 Notebook PC HP ProBook 655 G2 Notebook PC HP ProBook 450 G3 Notebook PC HP ProBook 430 G3 Notebook PC HP ProBook 440 G3 Notebook PC HP ProBook 446 G3 Notebook PC HP ProBook 470 G3 Notebook PC HP ProBook 455 G3 Notebook PC HP EliteBook 725 G3 Notebook PC HP EliteBook 745 G3 Notebook PC HP EliteBook 755 G3 Notebook PC HP EliteBook 1030 G1 Notebook PC HP ZBook 15u G3 Mobile Workstation HP Elite x2 1012 G1 Tablet HP Elite x2 1012 G1 with Travel Keyboard HP Elite x2 1012 G1 Advanced Keyboard HP EliteBook Folio 1040 G3 Notebook PC HP ZBook 17 G3 Mobile Workstation HP ZBook 15 G3 Mobile Workstation HP ZBook Studio G3 Mobile Workstation HP EliteBook Folio G1 Notebook PC[/quote] [url]http://news.sky.com/story/hp-laptops-secretly-recording-user-keystrokes-10873634[/url] [url]https://arstechnica.com/security/2017/05/hp-laptops-covert-log-every-keystroke-researchers-warn/[/url]

laptop vendors just need to stop fucking with the OS period. Apparantly this was incuded with an audio driver, because sense. This basically means if you get breached you don't just get leakage from between the breach and until you figure out and clean it, but you get breached and everything you've used the laptop for fsince you last rebooted gets breached. I know a lot of people who simply do not reboot their laptops anymore with how good hybrid sleep and similar hiberation stuff is getting. this could go back months.

This is why I wipe the Hard drive and clean install Windows + Linux each and every time I get a new laptop

why would hp even need a keylogger installed on their customer's laptops? what information are they trying to gain?

it's not used as a remote keylogger, it literally was used to debug read keystrokes for the hotkey in the audio driver. It was only a debug feature and was meant to be removed but somehow they forgot. Again, only people who knew the file existed and had access to your file system could have read what you typed.

Somebody majorly fucked up during code audit, that much is sure.

[QUOTE=MeepDarknessM;52222616]it's not used as a remote keylogger, it literally was used to debug read keystrokes for the hotkey in the audio driver. It was only a debug feature and was meant to be removed but somehow they forgot. Again, only people who knew the file existed and had access to your file system could have read what you typed.[/QUOTE] "forgot"

is dell/msi/asus/ and maybe acer the only good laptop manufacturers now?

Aw fuck I own one of these, it's my work laptop.

[QUOTE=spectator1;52223063]is dell/msi/asus/ and maybe acer the only good laptop manufacturers now?[/QUOTE] All these vendors are all in the same place, each have a bad history with the shit that they put in their systems. Bloatware is a problem and I can't fucking stand it when we order in 20 or so laptops, obviously for business use and they throw in macafee and shit on there. Like it's a massorder of laptops, do you really think that the people receving it don't have their own solution.

[QUOTE=Big Bang;52223265]Aw fuck I own one of these, it's my work laptop.[/QUOTE] Same. Installed linux on it on day one though, so I guess this doesn't apply?

[QUOTE=zeromancer;52223272]All these vendors are all in the same place, each have a bad history with the shit that they put in their systems. Bloatware is a problem and I can't fucking stand it when we order in 20 or so laptops, obviously for business use and they throw in macafee and shit on there. Like it's a massorder of laptops, do you really think that the people receving it don't have their own solution.[/QUOTE] Meanwhile Clevo resellers give the option of no OS so you don't have to waste money on an OS you won't use.

I have to warn my friends and relatives about this.

[QUOTE=helifreak;52223292]Meanwhile Clevo resellers give the option of no OS so you don't have to waste money on an OS you won't use.[/QUOTE] I wouldn't mind having a pre-installed OS (Assuming it's Professional or equivalent) because then I can use Group Policy and Login Scripts to install what's needed for business use. Shaves some time off from using PXE Boot. But if you go pre-installed, bloatware will be a thing. It's just frustrating because no one asked for this, and its only purpose is to bloat my time dealing with them during implementation and deployment.

My girlfriend owns one of the affected laptops, luckily she uses it in a way where the risk was very low. A fix already got released now. I can't believe they let this slip through lol.

[QUOTE=zeromancer;52223337]I wouldn't mind having a pre-installed OS (Assuming it's Professional or equivalent) because then I can use Group Policy and Login Scripts to install what's needed for business use. Shaves some time off from using PXE Boot. But if you go pre-installed, bloatware will be a thing. It's just frustrating because no one asked for this, and its only purpose is to bloat my time dealing with them during implementation and deployment.[/QUOTE] If you buy from the Microsoft store, it will be a clean Windows install.

Was this included for commercial/advertising purposes, to provide data to a state, or some other reason? Shitty programming practices?

[QUOTE=Biotoxsin;52223598]Was this included for commercial/advertising purposes, to provide data to a state, or some other reason? Shitty programming practices?[/QUOTE] By taking up the momentous task of reading the thread, I have come to the conclusion that it was a debug feature that was never removed. So D)Shitty programming practices

[QUOTE=helifreak;52223292]Meanwhile Clevo resellers give the option of no OS so you don't have to waste money on an OS you won't use.[/QUOTE] Most major manufacturers have lines with no OS. MSI certainly. The thing is, the absolute sheer majority of people will want to have a windows license. More often than not the "no OS" option will be used by pirates.

[QUOTE=zeromancer;52223272]All these vendors are all in the same place, each have a bad history with the shit that they put in their systems. Bloatware is a problem and I can't fucking stand it when we order in 20 or so laptops, obviously for business use and they throw in macafee and shit on there. Like it's a massorder of laptops, do you really think that the people receving it don't have their own solution.[/QUOTE] Costs too much money to custom-install for each and every one, so you get the same cookie-cutter laptop package of bloat-ware as everybody else.

[QUOTE=Megaman1811;52222247]This is why I wipe the Hard drive and clean install Windows + Linux each and every time I get a new laptop[/QUOTE] This is a pain in the ass for a lot of laptops since specific drivers for laptop hardware can be so hard or even impossible to find online. Usually I just dedicate the day to tracking down and eliminating with extreme prejudice every piece of bloatware on the machine from the factory. When I reformatted my previous laptop, a Vaio, the function keys and the graphics driver control panel never worked again, even with all of Sony's drivers. Luckily my current Asus didn't ship with much bloatware, just the manufacturer's driver update software and a few other well intentioned but kinda shit programs. As someone who exclusively uses laptops this really charmed me so I'm probably going to stick to Asus for the future unless they do something that pisses me off.

[QUOTE=Biotoxsin;52223598]Was this included for commercial/advertising purposes, to provide data to a state, or some other reason? Shitty programming practices?[/QUOTE] It's the last one. The code was in MicTray64.exe. In order to test for push to talk functionality, there was debug code monitoring keystrokes so that they could confirm it was working correctly. They never took the debug code out.

[QUOTE=Zero-Point;52223865]Costs too much money to custom-install for each and every one, so you get the same cookie-cutter laptop package of bloat-ware as everybody else.[/QUOTE] Exactly. They're just using an image per laptop model and throwing it on there. This was an oversight but everyone uses images, just faster and better for mass.

[QUOTE=Grenadiac;52224048]This is a pain in the ass for a lot of laptops since specific drivers for laptop hardware can be so hard or even impossible to find online.[/QUOTE] What laptops are you buying? I've rarely had much of an issue except for incredibly old laptops, and even still, Windows usually finds most of the drivers for you

[QUOTE=wraithcat;52223672]Most major manufacturers have lines with no OS. MSI certainly. The thing is, the absolute sheer majority of people will want to have a windows license. More often than not the "no OS" option will be used by pirates.[/QUOTE] Or people wanting to run linux on it, or people who would prefer to buy a key for $50 instead of paying the $240 that shit retails for.

[QUOTE=djjkxbox;52224685]What laptops are you buying? I've rarely had much of an issue except for incredibly old laptops, and even still, Windows usually finds most of the drivers for you[/QUOTE] You can get generics that work but you can sometimes lose functionality like I mentioned re: the Vaio. I have also had this problem with a Dell Inspiron.

Regarding Conexant themselves, this wasn't a form of bloatware, it was the driver itself that was the issue and Windows 10 would install it even if you uninstalled it (the more known counterpart would be Realtek's audio driver). It basically means that HP isn't at fault and it was entirely on Conexant who did this.

[QUOTE=spectator1;52223063]is dell/msi/asus/ and maybe acer the only good laptop manufacturers now?[/QUOTE]I bought a new laptop from the Asus ROG gaming laptops. It came with Windows 10 preinstalled and it was full of bloatware. Don't get me wrong; the laptop is awesome and I have not had many problems with it. The only problems I had were sitting for more than an hour finding and uninstalling useless bloatware, and getting Ubuntu to run properly on this was a huge pain.

[QUOTE=spectator1;52223063]is dell/msi/asus/ and maybe acer the only good laptop manufacturers now?[/QUOTE] This reminded me: I've seen multiple ads about ASUS Pure -laptops that claim to have nothing else but Windows installed on them. Is this bullshit? Because if that is true I know what laptop I'll get if I ever have to get one.