'Keylogger' Found on HP Laptops Not a Serious Threat

Editor's Note: This article was updated on December 14 per information released by Synaptics in a blog post.

A keystroke-recording tool, which some have called a keylogger, found on hundreds of HP notebooks is getting a lot of tech sites riled up, but it doesn't appear to be the privacy nightmare that some may have you believe. 

Yes, there was a tool lurking inside of more than 460 models of HP laptops (some of which date back to 2012), but it's easy to eradicate, is deactivated by default and likely hasn't been used against you.

What to Do Now

Before the issue was publicly disclosed, HP owned up to the mistake of leaving this tool inside of its laptops, and on Nov. 7 posted device-specific patches for most of the models affected, which can be downloaded here. Hopefully, the tool was already removed from your notebook, as Microsoft bundled those patches into the November Windows update.

If you can't find your model in the linked page, just run Windows Update by clicking the Start button, clicking the settings gear, hitting Windows Update and tapping Check for Update. In its advisory, HP noted that "a potential security vulnerability has been identified with certain versions of Synaptics touchpad drivers that impacts all Synaptics OEM partners."

MORE: Your Router's Security Stinks: Here's How to Fix It

In a blog post released on December 13, Synaptics stated that the technology in its touchpad driver isn't a keylogger, but in fact a debug tool whose memory is cleared often, including whenever there's a power event, such as turning a machine on or off. Synaptics also noted that the debug tool earned a Common Vulnerability Scoring System (CVSS) score of "approximately 2 out of 10, and is classified as a low risk."

In its post, Synaptics suggests that the debug tool was placed in more notebooks than just HPs, by stating "This debug feature is a standard tool in all Synaptics drivers across PC OEMs and is currently present in production versions." In the footer of the blog post, it calls out HP for issuing updates from its site and through Microsoft's Windows update, but not does not mention any other PC makers.

The activity-tracking tool, which is actually made by touchpad-maker Synaptics and appears to be developer software, was discovered by a tech sleuth named "ZwClose" who was trying to find out how the backlighting worked in HP laptop keyboards. In a detailed explanation he posted on Dec. 7 to GitHub, this mysterious expert said he noticed that the SynTP.sys keyboard driver contained code that would save and transmit user activity.

Fortunately for owners of the affected laptops -- which include models from nearly every HP line, such as Pavillion, Envy and Spectre -- ZwClose noted that the technology needs to be enabled by editing the Windows Registry, and could be erased by simply updating Windows. 

(We've not heard of the same issue affecting other brands yet, but it's worth noting that HP had a similar problem with a third-party audio driver in May 2017.)

In a statement, HP stated that it "uses Synaptics' touchpads in some of its mobile PCs and has worked with Synaptics to provide fixes to their error for impacted HP systems, available via the security bulletin on HP.com."

While nearly every affected model that HP lists has a patch available, eight do not:

  • HP ENVY m6-n000 Notebook (models m6-n0XX and m6t-n000)
  • HP ENVY m6-n000 Notebook (models m6-n0XX and m6z-n0XX)
  • HP ENVY m6-n100 Notebook (models m6-n1XX and m6z-n1XX)
  • HP ENVY m6-n200 Notebook (models m6-n2XX and m6z-n2XX)
  • HP ENVY TouchSmart 15 Notebook PC (models 15-q1XX and 15t-q100)
  • HP ENVY TouchSmart 15 Notebook PC (models 15-q0XX and 15t-q000)
  • HP Stream x360 11 Convertible Notebook (models 11-p0XX and 11t-p000)
  • HP x360 11 Convertible Notebook (models 11-p1XX and 11t-p100)

If you use any of those HP laptops, keep an eye on their listings here to see if HP provides a fix.

While we advise users to perform this action as soon as they can, you're probably safe for the moment. HP states that "A party would need administrative privileges in order to take advantage of the vulnerability. Neither Synaptics nor HP has access to customer data as a result of this issue."

In order to enable the behavior-tracking capabilities, a user would need to access the notebook on an account with administrator rights. And if someone has already made it that far into your notebook, they could install their own surveillance technology. So as we always say, keep administrator access to your machine to a bare minimum.

Image Credit: Shaun Lucas/Laptop Mag

Windows 10 Security and Networking