Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

HP Laptop Audio Driver Acts as Keylogger

A researcher discovered that a Conexant audio driver shipped with many HP laptops and tablet PCs logs keystrokes, making it easier for malicious actors to steal potentially sensitive information without being detected.

A researcher discovered that a Conexant audio driver shipped with many HP laptops and tablet PCs logs keystrokes, making it easier for malicious actors to steal potentially sensitive information without being detected.

Thorsten Schroeder of Swiss security firm Modzero noticed that the MicTray64.exe application, which is installed on many HP devices with the Conexant audio driver package and registered as a scheduled task in Windows, monitors all keystrokes to determine if the user has pressed any audio-related keys (e.g. mute/unmute).

The problem is not that the keys pressed by the user are monitored. The problem, according to the expert, is that keystrokes are logged to a file in the Users/Public folder. Furthermore, keystrokes are passed on to the OutputDebugString debugging API, allowing a process to access the data via the MapViewOfFile function.

This leads to sensitive user data, including passwords, getting logged to easily accessible locations. A piece of malware could exploit the flaw to steal data without alerting antimalware products that look for suspicious behavior, the researcher warned.

“There is no evidence that this keylogger has been intentionally implemented. Obviously, it is a negligence of the developers – which makes the software no less harmful,” Schroeder said in a blog post. “If the developer would just disable all logging, using debug-logs only in the development environment, there wouldn’t be problems with the confidentiality of the data of any user.”

The researcher pointed out that an earlier version of the MicTray64 app released in December 2015 did not log keystrokes to a file. This functionality was introduced in version, released in October 2016. It’s unclear if any of the logged data is being sent back to Conexant servers.

Modzero said the vulnerability, tracked as CVE-2017-8360, appears to affect 28 HP laptops and tablet PCs, including EliteBook, ProBook, Elite X2 and ZBook models. The security firm believes devices from other vendors that use hardware and drivers from audio chip maker Conexant could be affected.

SecurityWeek has reached out to both HP and Conexant for comment and will update this article if they respond.

Until a fix becomes available, users who are concerned with the application’s behavior have been advised by Modzero to delete the MicTray64 executable from WindowsSystem32 and the MicTray.log log file from UsersPublic. One user has complained on Reddit that getting rid of the software, especially its registry keys, is not easy.

UPDATE. HP has provided the following statement: HP is committed to the security of its customers and we are aware of an issue on select HP PCs. We have identified a fix and will make it available to our customers.

Related: Display Software Flaw Affects Millions of Devices

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.