Laptop touchpad driver included extra feature: a keylogger

(credit: Valentina Palladino)

Flaws in software often offer a potential path for attackers to install malicious software, but you wouldn’t necessarily expect a hardware vendor to include potentially malicious software built right into its device drivers. But that’s exactly what a security researcher found while poking around the internals of a driver for a touchpad commonly used on HP notebook computers—a keystroke logger that could be turned on with a simple change to its configuration in the Windows registry.

The logger, which could potentially be leveraged by an attacker or malware to harvest login credentials and other data, was discovered by security reasearcher Michael Myng (also known as ZwClose) lurking within driver software for Synaptics touchpads—used by hundreds of HP and Compaq business and consumer notebook computer models, as well as many other Windows notebook computers from other manufacturers. Myng disclosed the discovery on his blog on December 7 after the problem was disclosed to HP.

The keylogger was apparently included for debugging during development and is disabled by default. However, a user or software with administrative privileges could activate the keylogger by making a registry change—potentially remotely using Windows Management Instrumentation (WMI) or PowerShell scripts. Once turned on, it captures keystrokes and generates a trace log file.