Synaptics says recent reports inaccurately characterized a debugging tool found in its touchpad drivers as a keylogger, but the company has decided to remove the functionality from its products.
Earlier this month, a researcher reported finding what appeared to be keylogger functionality in a Synaptics touchpad driver shipped with hundreds of HP laptops. The functionality is disabled by default, but a user with administrator privileges can enable it and abuse it to log keystrokes.
The vulnerability, tracked as CVE-2017-17556, was reported to HP and patched by the company in November.
HP classified the vulnerability as medium severity (CVSS score of 6.1), and Synaptics has assigned it a low severity rating (CVSS score of 2.0). Some people agree that the flaw is not serious, arguing that an attacker with administrator privileges can install a proper keylogger and other types of malware.
Synaptics said the functionality was added to some of its drivers for diagnosing, tuning and debugging touchpads, but it was disabled before being shipped to customers. The same drivers are provided to other PC manufacturers, not just HP, but no other company has been named to date.
“Synaptics believes now, for best industry practices, that it should remove this debug tool for production versions of the driver,” the firm said. “Synaptics is unaware of any breach of security related to this debug tool.”
The company says it’s working with partners to identify affected products and release new drivers. It also recommends restricting administrator access to systems in order to prevent unauthorized activities.
“Synaptics takes great pride in making sure that its TouchPad drivers and other products meet industry-best security standards. In our new normal of heightened concern for security and privacy, Synaptics would like to apologize for any concerns that our debug tool may have raised. We have a path to immediately address this issue and other security concerns should they arise,” Synaptics stated.