back to article Leftover Synaptics debugger puts a keylogger on HP laptops

For the second time this year, HP Inc has had to patch its laptops after a security researcher found a driver-level keylogger – and this time, other laptop-makers might have to check their own products. The debug trace was in the Synaptics Touchpad driver used almost across-the-board in HP laptops, and while it is turned off …

  1. Flocke Kroes Silver badge

    Can anyone explain

    Why is a key logger in any way useful in a mouse or audio driver?

    1. Lysenko

      Re: Can anyone explain

      Possibly on-screen keyboards. If you have a touchscreen laptop, keycodes might be generated via three different mechanisms (physical keyboard, touchscreen soft keyboard, touchpad operated soft keyboard) and you might want logging to ensure they are all working consistently.

    2. Anonymous Coward
      Anonymous Coward

      Re: Can anyone explain

      Some of them may intercept keyboard shortcuts, and mouse/touchpads can generate key sequences to be assigned to buttons or gestures. I may somehow understand such code in debug builds, it has to be fully removed from production one, being 'protected' by a registry key is not enough.

      That's why I hate languages that don't have IFDEF or something alike, to easily allow removal of code from production builds.

      1. Hans 1

        Re: Can anyone explain

        That's why I hate languages that don't have IFDEF or something alike, to easily allow removal of code from production builds.

        Feel smart, hey ? In which language were these written, do you think ?

        In this case, synaptics f'd up as they left dev stuff in the enduser software. The audio driver, apparently, was another issue entirely causing the same effect, keyloggers on punters systems ....

        1. Anonymous Coward
          Anonymous Coward

          Re: Can anyone explain

          I didn't mean this instance bug was due to a lack of IFDEF or similar facilities - just the less people are trained to separate and isolate debug code from production one, and the increased number of languages believing preprocessors are bad (just because C allows to do nasty things with it), the more debugging code will be kept in production environments.

          That Synaptic left the keylogger code there is really nasty. Probably someone thought it would have been smart to leave it it here protected by a switch, instead of isolating it in sections that could be removed in production builds.

          A language doesn't really need a preprocessor as powerful - and dangerous - as C. But some facilities to remove code from the final output are usually welcome.

          1. Lysenko

            Re: Can anyone explain

            But some facilities to remove code from the final output are usually welcome.

            They usually exist as well, but it takes more work to use them. For example, if you're using vanilla JavaScript then there's no ifdef, but if you're using it with a compiler (transpiler) and a linker (webpack) then you can use ifdef-loader. Python has ifdef.py. I'm sure you can do something similar with Ruby etc.

            The issue is really that ifdef only makes sense if there is a "build" step and with an interpreter that isn't automatic so pre-processor functionality can never be as consistent.

            1. werdsmith Silver badge

              Re: Can anyone explain

              The BBC explanation:

              He said the keylogger was disabled by default, but an attacker with access to the computer could have enabled it to record what a user was typing.

              According to HP, it was originally built into the Synaptics software to help debug errors.

            2. Anonymous Coward
              Anonymous Coward

              Re: Can anyone explain

              Even with scripting languages would be very useful to have standard facilities available everywhere, and not depending on some third party efforts which may introduce issues, to transform a "source" file to a "production" one removing correctly code marked in some way. I understand just copying files is easier, but it may also become a security liability. Or we can keep on preferring easiness to security.

              Sometimes even when there's a "build" step such facilities have been removed for "purism" - just look at Java. Using switches is dangerous (they can be activated by bugs or intentional attacks, while compiler side effects made code harder to read.

            3. david 12 Silver badge

              >ifdef only makes sense if there is a "build" step and with an interpreter that isn't automatic<

              However, most "interpreted" languages for the last 20 years have been compiled, as was BASIC in the 1960's, so that's a less useful distinction than perhaps you meant.

              1. Lysenko

                Re: >ifdef only makes sense if there is a "build" step and with an interpreter that isn't automatic<

                If we're being pedantic, there's no such thing as an "interpreted language", there are simply interpreted implementations of languages. Interpreters exist for C and there are compilers for JavaScript buried in the bowels of JS VMs (two of them in the case of V8).

      2. joeldillon

        Re: Can anyone explain

        Why are you capitalising ifdef?

        1. Lysenko

          Re: Can anyone explain

          {$IFDEF DEBUG}

          Writeln('Development build.');

          {$ELSE}

          Writeln('Production build.');

          {$ENDIF}

          ... is how you conventionally write it in Delphi/Pascal. The language is case-insensitive of course, so $ifdef or $IfDef etc do exactly the same thing.

        2. Anonymous Coward
          Anonymous Coward

          "Why are you capitalising ifdef?"

          To make it standout - I didn't use any particular syntax.#ifdef, %ifdef, $IFDEF, etc. Also probably an unconscious use from some assembly languages...

    3. Doctor Syntax Silver badge

      Re: Can anyone explain

      "Why is a key logger in any way useful in a mouse or audio driver?"

      The same general purpose debugging code dropped into all of them?

    4. Slacker20012

      Re: Can anyone explain

      Are you really asking that question

    5. Clive Galway

      Re: Can anyone explain

      Dunno about for audio, but it would be useful for mouse, especially if you want to allow modifier keys (eg Fn+Click does something special).

      Looking at the screenshot, it mentions "stick" and "SuppressAfterKeypress" - I am thinking this is maybe to do with "nipple" mice?

      I think what it maybe does is suppress movement of the mouse while you are typing - maybe without it, the vibrations from keypresses wobble the mouse pointer around.

  2. sloshnmosh

    DELL

    I know that Dell uses a Synaptics driver on some of it's touchpads. I own two Dell laptops that both use a Synaptics driver and I just repaired my sisters Dell XPS laptop that (had) the Synaptics touchpad driver as well.

    I say "had" because I she had a trojan as well as a fileless rootkit in the Windows RUN registry hidden by a null character so rather than take a chance I replaced the hard drive and fresh OS but never installed the Synaptics touchpad driver.

    (The touchpads work just fine on all 3 Dells with the generic Windows drivers)

    1. Voland's right hand Silver badge

      Re: DELL

      ever installed the Synaptics touchpad driver.

      The one supplied by Microsoft is most likely also a written by Synaptics and not MSFT themselves. Using it is not a guarantee that you are not vulnerable.

  3. sloshnmosh

    DELL

    You have a point that the driver in the operating system may be written by Synaptics as well.

    However, I don't see anything under the Synaptics name when I did a registry search or listed in the Windows Device Manager.

    According to another researcher, HP did not remove the keylogger in their newer version after the Audio driver fiasco and could be enabled in the registry just like this new keylogging incident.

    (Or did I not read the researchers Twitter correctly? It was confusing.)

    https://securityaffairs.co/wordpress/66502/hacking/keylogger-hp-driver.html

  4. This post has been deleted by its author

  5. Paratrooping Parrot
    WTF?

    How far back does it go?

    I have an old laptop from 2011 that has a Synaptics pointing device driver. Would this have the issues?

  6. sitta_europea Silver badge

    So they "forgot" to remove the debugging code, did they?

  7. FlamingDeath Silver badge

    YeeeeeeeeeeeeeHAAAAAAWWWWWWWW!!!

    Look at all that juicy profit we made when we took the business decision not to test our shit properly for mistakes.

    Software coders, to use an analogous comparison, building architects

    If your structure does not hold up, you will be known as a cowboy.

    The same needs to apply to software, what makes you think you're so special that we should just tolerate your mistakes?

    I can forsee a future when software developers go to jail for their stupid mistakes, that's my prediction.

    How long before a software coding mistake results in the loss of life on a grand scale, can you predict the next 100 years?

    I think I can do a bit of extrapolation

    1. Anonymous Coward
      Anonymous Coward

      Re: YeeeeeeeeeeeeeHAAAAAAWWWWWWWW!!!

      "How long before a software coding mistake results in the loss of life on a grand scale, can you predict the next 100 years?"

      Toyota accelerator pedals? ECU receives conflicting signals - fully open throttle and fully applied brake, so decided to act on the throttle signal and leave the brakes to fend for themselves.

      People died as a direct result. Quite a few. Was anyone prosecuted?

      1. Spender

        Re: YeeeeeeeeeeeeeHAAAAAAWWWWWWWW!!!

        As an anecdote about software failings, the Toyota accelerator pedal really isn't a very good example.

        On Wikipedia, we find a somewhat different version of events:

        'On February 8, 2011, the NHTSA, in collaboration with NASA, released its findings into the investigation on the Toyota drive-by-wire throttle system. After a 10-month search, NASA and NHTSA scientists found no electronic defect in Toyota vehicles. Driver error or pedal misapplication was found responsible for most of the incidents. The report ended stating, "Our conclusion is Toyota's problems were mechanical, not electrical." This included sticking accelerator pedals, and pedals caught under floor mats.'

        Bad design (maybe), bad pedal layout (maybe), but bad software? Fake news.

        1. Anonymous Coward
          Anonymous Coward

          Re: YeeeeeeeeeeeeeHAAAAAAWWWWWWWW!!!

          "Bad design (maybe), bad pedal layout (maybe), but bad software? Fake news."

          Readers who dig deeper, e.g. with primary sources, will find that NASA and NHTSA investigators were initially denied meaningful access to important parts of the Toyota design and implementation, which may account for the claim that "NASA and NHTSA scientists found no electronic defect in Toyota vehicles."

          Reputable experts who did eventually get better access to design info that mattered came to very different conclusions than the NASA/NHTSA quote above.

          Read the facts, and draw your own conclusions. Further definitive reading includes any or all of:

          https://www.eetimes.com/document.asp?doc_id=1319903 (25 Oct 2013)

          "Could bad code kill a person? It could, and it apparently did.

          The Bookout v Toyota Motor Corp. case, which blamed sudden acceleration in a Toyota Camry for a wrongful death, touches the issue directly.

          This case -- one of several hundred contending that Toyota's vehicles inadvertently accelerated -- was the first in which a jury heard the plaintiffs' attorneys supporting their argument with extensive testimony from embedded systems experts. That testimony focused on Toyota's electronic throttle control system -- specifically, its source code.

          The plaintiffs' attorneys closed their argument by saying that the electronics throttle control system caused the sudden acceleration of a 2005 Camry in a September 2007 accident that killed one woman and seriously injured another on an Oklahoma highway off-ramp. It wasn't loose floor mats, a sticky pedal, or driver error.

          [continues]"

          https://embeddedgurus.com/barr-code/2013/10/an-update-on-toyota-and-unintended-acceleration/ (26 Oct 2013)

          "Michael Barr, a well-respected embedded software specialist, spent more than 20 months reviewing Toyota’s source code at one of five cubicles in a hotel-sized room, supervised by security guards, who ensured that entrants brought no paper in or out, and wore no belts or watches. [continues]"

          http://www.safetyresearch.net/blog/articles/toyota-unintended-acceleration-and-big-bowl-%E2%80%9Cspaghetti%E2%80%9D-code (7 Nov 2013)

          "Last month, Toyota hastily settled an Unintended Acceleration lawsuit – hours after an Oklahoma jury determined that the automaker acted with “reckless disregard,” and delivered a $3 million verdict to the plaintiffs – but before the jury could determine punitive damages.

          What did the jury hear that constituted such a gross neglect of Toyota’s due care obligations? The testimony of two plaintiff’s experts in software design and the design process gives some eye-popping clues. After reviewing Toyota’s software engineering process and the source code for the 2005 Toyota Camry, both concluded that the system was defective and dangerous, riddled with bugs and gaps in its failsafes that led to the root cause of the crash.

          Bookout and Schwarz v. Toyota emanated from a September 2007 UA event that caused a fatal crash.

          [continues]"

          https://betterembsw.blogspot.co.uk/2014/09/a-case-study-of-toyota-unintended.html

          "Here is my case study talk on the Toyota unintended acceleration cases that have been in the news and the courts the past few years."

          https://users.ece.cmu.edu/~koopman/pubs/koopman14_toyota_ua_slides.pdf (18 Sep 2014)

          You can read about Koopman himself at

          https://users.ece.cmu.edu/~koopman/

          (CMU is Carnegie Mellon University, where Koopman is Associate Professor)

          etc

        2. Kiwi
          Paris Hilton

          Re: YeeeeeeeeeeeeeHAAAAAAWWWWWWWW!!!

          Bad design (maybe), bad pedal layout (maybe), but bad software? Fake news.

          Question. Did this issue affect other car makers to the same extent? Even 90% the same extent? Hell, I'll settle for 70% the same extent, on a per car/per capita type basis.

          Just Toyota? But surely if this is driver error you'd see a similar rate across similar styles/price ranges of cars.

          I still haven't figured out how you can have your floor mat UNDER your pedal when you first put your foot on it but SOMEHOW the mat gets between your foot and the pedal without you noticing.

          (El Reg we still need that "something fishy" icon!)

          1. hoola Silver badge

            Re: YeeeeeeeeeeeeeHAAAAAAWWWWWWWW!!!

            It is called Agile and is the reason that so much shite software is produced. Agile is touted as the "must have" methodology" develop. The reality is that it s a piss-poor sorry excuse conjured up by management consultants and highly paid idiots that believe they are developers. The result is constantly changing software that is full of bugs that no one gives a toss about because it has been delivered quickly. They then use the next "sprint" to layer another pile off untested shite on top of what is already there.

            As with all these fads some other equally bonkers scheme will come along to improve productivity, responsiveness or profit for someone.

    2. Dinsdale247

      Re: YeeeeeeeeeeeeeHAAAAAAWWWWWWWW!!!

      Or, more accurately arrest the Project Manager that told the developers to get the code done on x date or they're fired.

      I can say with certainty there are few qualified software developers that WANT to ship shoddy code. But, if "the boss" says there is no budget for fixing problems and testing, then you get what you get.

      There is never time to do it right, and rarely even time to fix it until the customers start suing.

  8. Primus Secundus Tertius

    Happens everywhere

    "...debugging code the developers forgot to remove from production models."

    I suspect this was the cause of the Volkswagen diesel commotion. Then the software passed a test brilliantly. After that, Management said to Resources: "You are not going to be difficult about this, are you?"

  9. Anonymous Coward
    Big Brother

    How people laugh at Richard Stallman calling him a mad hippy who appears to have taken too much acid.

    Who's mad and who's laughing now ?

    Plausible deniability, in CIA parlance.

  10. Anonymous Coward
    Anonymous Coward

    NOT so fast ..

    Maybe we ought to slow down here.

    How certain are we that this is not an effort by HP to installa keylogger as the result of some secret order by US authorities, now that they have finally managed to get Kaspersky out of the way?

    Against this theory: discovered by an independent security researcher

    For: recent efforts.

    I'd want that "update" checked too first. Just in case.

  11. Yet Another Anonymous coward Silver badge

    Good job Synaptics are American

    Or they would now be banned from US government machines

  12. ThatOne Silver badge
    Coffee/keyboard

    What's the problem? Synaptics just wanted a slice of that "user data" pie too. I mean, why should everybody else get some and not them?

  13. Scott 53

    Can't fix it

    The download from HP consistently stops between 60 and 70 MB (of 181 MB)

    1. Anonymous Coward
      Anonymous Coward

      Re: Can't fix it

      For a freakin' *keyboard driver*? That's insane! No wonder they've lost things in there!

      1. Anonymous Coward
        Anonymous Coward

        Re: Can't fix it

        Keyboard driver? Surely the Synaptics driver is just for the trackpad? I suppose the bumblers of HP could be bundling it all up (ICBA to look), but if not, then 181 MB is indeed impressive. The entire King James Bible is only 1.4 MB in ePub format.

  14. Anonymous Coward
    Anonymous Coward

    Great how many people check every single drivers ? Sure in linux lots of eye balls on the kernel and stuff like system d. but who would think some one would put a key logger in a device driver.

  15. Anonymous Coward
    Stop

    Here's what you need to do...

    1. Take any HP equipment you or your family own and smash it sufficiently so it's beyond use. There, that's better.

    2. Ask yourself what you were thinking ever trusting HP for anything.

    3. Ask yourself again. Remind yourself that HP hasn't made a decent product since the original Laserjet and the HP-12c. Remind yourself of what idiots HP management are. Remember Meg Whitman, who even made Hilary Clinton look nearly honest and upstanding.

    4. Add them to the list of companies who will never receive any more money from you (see also: Sony, Microsoft.)

    5. Calm down and have a beer. You can buy a new computer in the January sales.

    1. Kiwi
      Mushroom

      Re: Here's what you need to do...

      1. Take any HP equipment you or your family own and smash it sufficiently so it's beyond use. There, that's better.

      I thought that was the default state of their consumer-grade laptops anyway? Though not so much smashed as cooked due to a) stupidly designed cooling system and b) even stupider lack of thermal cutout...

      No need to smash it. Just let it run for an hour or two and it'll make sure the electronics are all nice'n'toasty for you.

    2. hoola Silver badge

      Re: Here's what you need to do...

      You have not read the article, it is in the Synaptics software, written by Synaptics, not HP specific. It has been found on HP devices.

      "Take any laptop with a Synaptic touch pad and smash it. That will cover most laptops and who is to say that what you replace it with does not have some other hidden gem?

      1. Anonymous Coward
        Stop

        You have not read the article...

        Yes I have.

  16. Anonymous Coward
    Anonymous Coward

    #1000 more reasons to 'unplug' next year

    Dumb oversight or the new normal? ... Maybe it was deliberate because 'you know, the data might be useful sometime' (see early classics like LG Smart TV's slurping USB filenames or googhoul street-slurp etc). Or lets be friendly to the 5-Eyes... Either way, the number of reasons to air-gap your PC just went up like Bitcoin returns in 2017. 2018? Ain't going to be better...

  17. Anonymous Coward
    Anonymous Coward

    Friends don't let friends buy HP Laptops

    Security of your data on an HP laptop is much better than expected, even with the key logger, because the damn laptop is probably broken again anyway.

    1. Piro Silver badge

      Re: Friends don't let friends buy HP Laptops

      Yeah, pretty much.

  18. mjflory

    Re: Here's what you need to do...

    My HP 95LX is doing just fine, thank you.

  19. That_Huey

    The real q

    More importantly, did they find how to adjust the keyboard backlight anywhere other than on or off?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like