Keylogging - HP had a keylogger in the keyboard driver

Boboy

Starting to get Involved
#1
“TL;DR: HP had a keylogger in the keyboard driver. The keylogger saved scan codes to a WPP trace. The logging was disabled by default but could be enabled by setting a registry value (UAC required).”

Sorry I was not able to post the link because my post count must be 10 or greater to be able do do so.

HP keyboard drivers are doing keylogging. Possible root cause -
1. They outsourced the keyboard driver development. Issue on control of outsourced process.
2. Their QA's aren't equip for security code review.​
Can you think of any other root cause(s) and the appropriate corrective action?
 
Last edited:

Marc

Retired Old Goat
Staff member
Admin
#2
It is described here and at quite a few other sites: Keylogger Found in HP Notebook Keyboard Driver

Software (and device) security reviews are a big topic these days. The recent Amazon lock and camera are another example of security bugs, one of which is described here: Amazon Key Flaw Could Let Rogue Deliverymen Disable Your Camera | WIRED

Some are calling for licenses for programers who code software much like electricians, plumbers and other trades require licenses.

Root cause? I would say no control over supplier and lack of sufficient/effective code review.

For some thoughts, also read: The true root causes of software security failures | Computerworld

and

Top Software Failures of 2017 (So Far) - Worksoft Inc.

and

Top-selling handgun safe can be remotely opened in seconds—no PIN needed | Ars Technica

and

Jeep Cherokee Hacked | Wired
 

Sidney Vianna

Post Responsibly
Staff member
Super Moderator
#4
Can you think of any other root cause(s) and the appropriate corrective action?
Yes. Intelligence agencies and/or "bad actors" deliberately infiltrate the driver code development process to exploit the weakness.

Corrective action? :rolleyes:
 

Mark Meer

Trusted Information Resource
Trusted
#6
:mg:

Seriously?! I know the NSA has been violating citizens' privacy in all sorts of ways, but this seems so flagrant I'm surprised I've never heard of this. Did any major publication report on this, or is it just limited to tech blogs and reviews of Glen Greenwald's book? If not, what are we to assume? Media collusion?...or is this a case of smoke but no fire?

I must admit, my skeptic bells are ringing. Presumably, the "organizations targeted for surveillance" are no small fry, so why with such a revelation is nobody launching a suit against the federal government? Is it lack of evidence, or simply that the fourth amendment is now meaningless and cannot be defended?

I'm not sure what to believe anymore... :bonk:
 

Ninja

Looking for Reality
Trusted
#7
Try "A Higher Loyalty" by James Comey...of course biased, but an interesting read from someone 'trying' to be neutral...
 

hogheavenfarm

Quite Involved in Discussions
#8
The need to actually plant malware has been rendered obsolete by forcing the chip manufacturers to build the access into the chip, it is now operational under numerous names like TPM 2.0, IME, DRM, etc. The recent bug (spectre?) find which sent all the manufacturers scrambling was in this first level chip instruction set. I keep my ten year old laptop running just for this reason. It is not immune but the chip instruction set is extremely limited. I tried to purchase a linux unit without these and was told it is not possible, all chip manufacturers had to comply. I forgot all the details (this was two years ago) but I could dig them up.
I have a Prism slide titled "FAA702 Reporting Highlight" which shows the operation of the "implant" being removed after use, so it was used at one time.
 

Mark Meer

Trusted Information Resource
Trusted
#9
...forcing the chip manufacturers to build the access into the chip...
Curious: how?

Are there particular regulations (& policing regulatory body) that one could point to that require such vulnerabilities be built into microchips?

Are chip manufacturers somehow incentivised to build in exploits in their own products against their business interests?

Does some arm of the intelligence agencies go to these manufacturers and "force" design changes at the point of a gun?

...or are these vulnerabilities perhaps merely an unintended and unforeseen bi-product of integrating some processing feature/efficiency that was voluntarily and universally adopted by the industry?
 

Top