Back in May, HP was struck with the surprising revelation that some models of its laptops had been shipping with a keylogger preinstalled on the systems. It seems that history is repeating itself, as a security researcher has discovered a second keylogger that could have affected more than 460 models of HP laptops.
This new keylogger was found by security researcher Michael Myng, who explained that the code was embedded in the software drivers that enable the keyboard to function. This allows every keystroke from its first boot to be tracked and cause a “potential security vulnerability,” as stated by HP itself.
This issue is known to have affected the EliteBook, ProBook, Pavilion and its gaming-centric Envy line of devices, among others.
Users of any affected laptop need not worry, as HP has issued a software patch for customers to remove the keylogger themselves. It has been stated that the keylogger itself was disabled by default, and therefore hasn't tracked anyone's data unless purposefully activated. This is where the issue arises, as attackers can potentially exploit this as a vulnerability.
The keylogger was built into the Synaptics software, in which HP states it was intended to help debug errors. While the HP has since recognised that this could be a case of “loss of confidentiality,” it has stated that neither it nor Synaptics had access to any customer data as a result of the incident.
For anyone concerned that their device might have been affected, HP has released a comprehensive full list of laptops known to have shipped with keyloggers since 2012, each with a fix. Given the length of the list with slightly varying links to each solution, we'd advise using the good old search function (Ctrl+F) to find your model, just to make it easier.
KitGuru Says: It does seem like a strange risk for a company to take in order to simplify the debugging process, no matter how grueling of a task. Still, the company promptly issued a fix for what is a blatant security concern.