As I am sure that some of you have read, on May 11, a Swiss cyber-security firm, Modzero AG, released a whitepaper highlighting that a keylogger issue – which in this case, is debug code – that is present in Conexant audio drivers on select HP computers.
At HP, customer security is our top priority, so I wanted to give an update on the issue, what we have done, and our best advice to customers.
First and most importantly, there is a fix for our commercial PCs available on HP.com as of today, May 12, with fixes for all consumer PCs scheduled to be available on May 13. In addition, HP has not had, nor will it have, any access to user data as a result of this issue.
When HP learned about this earlier this month, our Cyber Security team immediately investigated the issue, found the root cause and worked on a fix. In addition to being available on HP.com, we are also in the process of getting it published through Microsoft’s Windows Update Service. This is so customers – especially those with PCs not managed by an IT organization – will get the update automatically. For customers whose PCs are managed by their internal IT team, the update is available for deployment through their standard sets of tools.
As Modzero’s report states, there was a keylogger capability in the Conexant HD audio driver package that is preinstalled on some HP PCs. This capability was created by Conexant during the development process to help debug an audio issue. Adding debug code is a normal part of the development process and such code is supposed to be removed and never included in a commercially available product. Unfortunately, in this case, Conexant did not remove the code. We certainly never intended to include this code in shipped products.
The debug code stores keystrokes in a log file that it creates to help developers diagnose an issue. This code is stored in a file locally on the PC, and then it is cleared out each time the user logs off and whenever the PC is rebooted.
Some media coverage suggested that the log files are sent back to HP. These articles are inaccurate – such information is never sent back to HP. Again, HP never intended to include this functionality in a shipped product used by customers. What is most important to know is that there is an immediate commercial fix available with all consumer fixes available by May 13.
This issue effects certain commercial notebooks and desktop systems manufactured since 2015. In addition, a select set of our consumer systems are effected. For more information on the exact systems that need an update to the audio driver, check out our security advisory.
Our best advice to customers is to install the updated driver package. If you are a consumer customer or a business without a dedicated IT team, we recommend using Window Update to keep your PC updated automatically. For customers with a dedicated IT organization, download the Softpak from HP.com and distribute the updated driver package as you would any other update. Given the nature of this issue, our advice is to deploy this update as quickly as possible.
While HP didn’t create the driver, our job is to keep the customer safe even when the issue is with third-party code. We have learned from this situation and will work to with our partners to further verify the debug code is removed from their software before it goes final. That said, we will also continue to work with the security community to learn about these issues if they do come up, and then work to make sure we can get high quality fixes out to customers as quickly as possible, just as we are doing in this case.
For more information, please read the security advisory available here.