HP patches touchpad driver, but hackers could exploit flaw to spy on users.
More than 450 HP laptop models have a keylogger hidden away in a driver, forcing HP to issue patches for the affected devices.
The keylogger, found in Synaptics’ touchpad software, is disabled by default, but hackers could potentially enable it if they had access to a computer by elevating user privileges, said Michael Myng, the researcher who discovered the flaw.
Commericial workstations, consumer laptops and other HP products contain the flaw, including Spectre devices, Pavilion devices, ZBooks and others.
“A potential security vulnerability has been identified with certain versions of Synaptics touchpad drivers that impacts all Synaptics OEM partners,” an HP statement on its security bulletin read.
“A party would need administrative privileges in order to take advantage of the vulnerability. Neither Synaptics nor HP has access to customer data as a result of this issue.”
Myng discovered the issue when trying to control the backlighting of an HP keyboard, noticing a format string for a keylogger when looking through the keyboard driver. Unable to find an HP laptop to test his findings, he contacted HP directly.
“They replied terrificly [sic] fast, confirmed the presence of the keylogger (which actually was a debug trace) and released an update that removes the trace,” he said.
HP claims the keylogger in Synaptics’ touchpad was created to debug errors. If activated however, a hacker could track every letter a laptop user typed.
A keylogger was also discovered in Synaptics subsidiary Conexant’s audio drivers, also installed in HP laptops, back in May.
We have contacted Synaptics for comment.
This article originally appeared at itpro.co.uk
