HP has released driver updates for hundreds of notebook models to remove debugging code that an attacker could have abused as a keylogger component.
The keylogging code was present in the SynTP.sys file, which is part of the Synaptics Touchpad driver that ships with some HP notebook models.
"The logging was disabled by default but could be enabled by setting a registry value," said Michael Myng, the security researcher who discovered the flaw earlier this year.
That registry key is:
Malware devs can use this registry key to enable the keylogging behavior and spy on users using native kernel-signed tools, undetectable by security products. All they have to do is to bypass a UAC prompt when tweaking the registry key. There are tens of methods of bypassing UAC prompts currently available.
"The keylogger saved scan codes to a WPP trace," said Myng. WPP software tracing is a technique used by app developers and is intended for debugging code during development.
After reporting the issue, the researcher said HP devs candidly admitted the keylogging code was a leftover from debugging sessions and "released an update that removes the trace."
This is not the first time HP engineers have forgot debugging code inside a driver. The same thing happened in May, when they left similar keylogging code inside an audio driver.
HP released a list of affected notebooks. The list also includes links to firmware updates and is 475 models-long and includes 303 consumer notebooks and 172 commercial notebooks, mobile thin clients, and mobile workstations. Affected model lines include HP's 25*, mt**, 15*, OMEN, ENVY, Pavilion, Stream, ZBook, EliteBook, and ProBook series, along with several Compaq models.
Myng also published a technical analysis of the SynTP.sys file and the keylogger code for security researchers and software developers.
Update 12/11:17: BleepingComputer has published an article on how to check for and remove the keylogger: How to Check Your HP Laptop for the Synaptic Keylogger and Remove It