Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Tuesday December 12 2017, @10:42AM   Printer-friendly
from the it's-ok-it's-turned-off dept.

Hundreds of HP laptop models dating back to 2012 are affected by a potential vulnerability that could allow attackers to log keystrokes:

Hidden software that can record every letter typed on a computer keyboard has been discovered pre-installed on hundreds of HP laptop models. Security researcher Michael Myng found the keylogging code in software drivers preinstalled on HP laptops to make the keyboard work.

HP said more than 460 models of laptop were affected by the "potential security vulnerability". It has issued a software patch for its customers to remove the keylogger. The issue affects laptops in the EliteBook, ProBook, Pavilion and Envy ranges, among others. HP has issued a full list of affected devices, dating back to 2012. In a statement, the company said: "HP uses Synaptics' touchpads in some of its mobile PCs and has worked with Synaptics to provide fixes to their error for impacted HP systems, available via the security bulletin on HP.com."


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 0) by Anonymous Coward on Tuesday December 12 2017, @11:39AM (2 children)

    by Anonymous Coward on Tuesday December 12 2017, @11:39AM (#608695)

    for technical or editorial errors or omissions contained herein.The information provided is provided "as is" without warranty of any kind.To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restorationThe [sic] information in this document is subject to change without notice.HP Inc. and the names of HP products referenced herein are trademarks of HP Inc. in the United States and other countries.Other product and company names mentioned herein may be trademarks of their respective owners.

    • (Score: 5, Insightful) by BsAtHome on Tuesday December 12 2017, @11:58AM (1 child)

      by BsAtHome (889) on Tuesday December 12 2017, @11:58AM (#608701)

      Translation for mere mortals:
      Fuck You; we do the fuck we want and the only thing you, the customer, are supposed to do is pay us. Now shut up and pay us some more.

      • (Score: 0) by Anonymous Coward on Tuesday December 12 2017, @12:51PM

        by Anonymous Coward on Tuesday December 12 2017, @12:51PM (#608706)

        I find your views interesting and would like to subscribe to your newsletter.

  • (Score: 5, Informative) by meustrus on Tuesday December 12 2017, @04:37PM (3 children)

    by meustrus (4961) on Tuesday December 12 2017, @04:37PM (#608780)

    From the linked post by Michael Myng: [github.io]

    TL;DR: HP had a keylogger in the keyboard driver. The keylogger saved scan codes to a WPP trace. The logging was disabled by default but could be enabled by setting a registry value (UAC required)...

    ...So, I messaged HP about the finding. They replied terrificly fast, confirmed the presence of the keylogger (which actually was a debug trace) and released an update that removes the trace...

    --
    If there isn't at least one reference or primary source, it's not +1 Informative. Maybe the underused +1 Interesting?
    • (Score: 2) by DannyB on Tuesday December 12 2017, @04:53PM (1 child)

      by DannyB (5839) Subscriber Badge on Tuesday December 12 2017, @04:53PM (#608787) Journal

      So it's all okay then. Enabling the keylogger requires changing a registry setting with UAC required.

      I wonder how technically feasible it is for anyone who controls Intel Management Engine to change this registry setting?

      Of course, with Intel ME, one could probably implement a key logger completely outside of the OS or motherboard firmware.

      --
      People today are educated enough to repeat what they are taught but not to question what they are taught.
      • (Score: 3, Insightful) by Geezer on Tuesday December 12 2017, @06:08PM

        by Geezer (511) on Tuesday December 12 2017, @06:08PM (#608828)

        Can you say, "NSA"?

        Sure you can!

        It's a beautiful day in the neighborhood....

    • (Score: 2) by frojack on Wednesday December 13 2017, @05:48AM

      by frojack (1554) on Wednesday December 13 2017, @05:48AM (#609106) Journal

      TFS seems to suggest HP was throwing Synaptic under the bus.
      What's up with that?

      --
      No, you are mistaken. I've always had this sig.
  • (Score: 2, Funny) by Anonymous Coward on Tuesday December 12 2017, @05:14PM

    by Anonymous Coward on Tuesday December 12 2017, @05:14PM (#608798)

    ... HP bundled some useful software with their laptops.

  • (Score: 2) by boltronics on Wednesday December 13 2017, @02:28AM

    by boltronics (580) on Wednesday December 13 2017, @02:28AM (#609058) Homepage Journal

    Not worried. I nuked all that pre-installed garbage with a nice clean Debian GNU/Linux installation.

    --
    It's GNU/Linux dammit!
  • (Score: 0) by Anonymous Coward on Wednesday December 13 2017, @03:50PM

    by Anonymous Coward on Wednesday December 13 2017, @03:50PM (#609243)
  • (Score: 0) by Anonymous Coward on Wednesday December 13 2017, @11:02PM

    by Anonymous Coward on Wednesday December 13 2017, @11:02PM (#609462)

    "potential security vulnerability"

    can't take you seriously if you don't know what "vulnerability" maybe just a liar?

(1)