HP Business Laptops Are Logging User Keystrokes

Editor's Note: This story has been updated on Friday, May 12, with a comment from HP vice president Mike Nash.

If you use one of HP’s business PCs -- an EliteBook, ZBook or ProBook -- your laptop may have come with a preloaded keylogger recording everything you type into an unencrypted log file. Swiss security group ModZero first discovered the security flaw in the preloaded Conexant audio driver that appears on many of these notebooks. The driver is supposed to be watching to see if you hit keys that launch certain audio functions, but instead writes every single stroke into an easily-accessible text file.

Using an HP EliteBook 1040 G3, we were able to verify the issue ourselves. After we updated to the latest version of the Conexant driver, which was dated March 20, 2017, a text file located at C:\Users\Public\MicTray.log began showing a detailed list of all the keys we'd pressed.

However, the strokes would be hard for an average person to read, because they are stored as hexadecimal keyboard scan codes, with one stroke on each line. So hitting the letter "a" several times gave us a log entry that read like this:

Mic target 0x1 scancode 0x1e flags 0x0 extra 0x0 vk 0x41
Mic target 0x1 scancode 0x1e flags 0x80 extra 0x0 vk 0x41Mic target 0x1 scancode 0x1e flags 0x0 extra 0x0 vk 0x41Mic target 0x1 scancode 0x1e flags 0x80 extra 0x0 vk 0x41

It took us a little while to figure out that the 0x1e actually is the keycode for the letter "a" and that the rest of the information can be ignored. A very determined hacker could go through all of your strokes and translate them from hex into real characters and try to reconstruct what you wrote. The log file also deletes itself every time you log out of your system so a malefactor would have to get it either from a system backup or while your computer is still on.

To check whether you are using one of the affected system, you can look for the C:\Users\Public\MicTray.log file and see if it has any content inside. Some enterprising users on Reddit have figured out a way to disable the software by editing a few values in Window’s registry, so click here to see /u/My_Angry_Account’s guide to manually editing your registry.

On Thursday (May 11), HP vice-president Mike Nash told ZDNet that a fix for this keylogging software is available via Windows Update and HP.com for notebooks released 2016 and later, while models released in 2015 will receive a patch today (May 12). Nash also noted that the keylogging code was not supposed to be in laptops sold to the public, noting that it was mistakenly added to the drivers.

In a brief statement, an HP spokesperson claimed the company "has no access to customer data as a result of this issue."

Here's a list of potentially affected laptops, according to ModZero:

  • HP EliteBook 820 G3 Notebook PC
  • HP EliteBook 828 G3 Notebook PC
  • HP EliteBook 840 G3 Notebook PC
  • HP EliteBook 848 G3 Notebook PC
  • HP EliteBook 850 G3 Notebook PC
  • HP ProBook 640 G2 Notebook PC
  • HP ProBook 650 G2 Notebook PC
  • HP ProBook 645 G2 Notebook PC
  • HP ProBook 655 G2 Notebook PC
  • HP ProBook 450 G3 Notebook PC
  • HP ProBook 430 G3 Notebook PC
  • HP ProBook 440 G3 Notebook PC
  • HP ProBook 446 G3 Notebook PC
  • HP ProBook 470 G3 Notebook PC
  • HP ProBook 455 G3 Notebook PC
  • HP EliteBook 725 G3 Notebook PC
  • HP EliteBook 745 G3 Notebook PC
  • HP EliteBook 755 G3 Notebook PC
  • HP EliteBook 1030 G1 Notebook PC
  • HP ZBook 15u G3 Mobile Workstation
  • HP Elite x2 1012 G1 Tablet
  • HP Elite x2 1012 G1 with Travel Keyboard
  • HP Elite x2 1012 G1 Advanced Keyboard
  • HP EliteBook Folio 1040 G3 Notebook PC
  • HP ZBook 17 G3 Mobile Workstation
  • HP ZBook 15 G3 Mobile Workstation
  • HP ZBook Studio G3 Mobile Workstation
  • HP EliteBook Folio G1 Notebook PC

Laptop Guide