Researcher finds keylogger on HP laptops

Laptops exposed through Synaptics Touchpad driver

Tech giant HP has had a tough few months in terms of security, and is having to patch its laptops for a second time this year.

According to The Register, a security researcher claims to have found a driver-level keylogger on HP's laptops, and is calling on other tech firms to check their hardware.

Most of HP's laptops have been exposed to a debug trace found in the Synaptics Touchpad driver. Although the driver is usually inactive, it can easily be turned on by a registry entry.

The security researcher, nicknamed ZwClose, found the bug when they were investigating the driver for ways that it can be used to adjust keyboard lighting.

However, they noticed irregularities in a line on the keyboard driver. The researcher was alarmed when they came across the following text: "uLScanCode=0x%02X, bKeyFlags=%X".

"The keylogger saved scan codes to a WPP trace. The logging was disabled by default but could be enabled by setting a registry value (UAC required)," ZwClose wrote.

"Sometime ago someone asked me if I can figure out how to control HP's laptop keyboard backlit. I asked for the keyboard driver SynTP.sys, opened it in IDA and after some browsing noticed a few interesting strings."

HP was warned about the issue, and after investigating the problem itself, the company rolled out updates for some 173 enterprise products and 293 consumer products.

Owners of some HP Envy, Stream and HP x360 11 convertible products are still awaiting on an update; however, according to ZwClose, Microsoft will issue a Windows Update shortly.

"At this point I had to run some ETW capture software like MessageAnalyzer to read the trace, but I couldn't do that since I didn't have HP laptop," said the researcher.

"The research were done by reading the code of SynTP.sys, I couldn't verify if it's correct or not. I tried to find HP laptop for rent and asked a few communities about that but got almost no replies."

They added: "One guy even thought that I am a thief trying to rob someone. So, I messaged HP about the finding. They replied terrificly fast, confirmed the presence of the keylogger (which actually was a debug trace) and released an update that removes the trace.

"Get the list of affected models and fixed driver at HP website. The update also available via Windows Update."