A wide-reported “keylogger” found in many HP PCs is a debugging tool that inadvertently shipped on production machines, HP tells me. Better still, the problem is already fixed.
This episode is obviously reminiscent of the infamous “Superfish” fiasco, in which that firm’s consumer PCs were found to have malware installed that was designed to spy on users. Superfish was both stupid and a technical error on Lenovo’s part, but that company later turned things around nicely and embraced the Clean PC initiative.
In HP’s case, the “keylogger” is not malicious and wasn’t supposed to ship on production PCs. Instead, the code is used to debug device drivers while in testing only. HP just shipped the wrong version of the driver on its PCs.
I spoke with HP’s Mike Nash about this incident last night. He told me that the company never logged any data from customers, and that the fix—via the production version of the impacted drivers—was already deployed to Windows Update. So if you have an HP PC and are worried about this issue, just check for updates.
The “keylogger” was found by security researchers at Modzero, who informed HP of the issue but went public before the PC maker could release a fix.
“There are very few situations where you would describe a keylogger that records all keystrokes as ‘well-intended’,” the Modzero alert notes. Reporting the issue before the fix was available is likewise hard to describe as “well-intended.” The idiocy continues: “So what’s the point of a keylogger in an audio driver? Does HP deliver pre-installed spyware? Is HP itself a victim of a backdoored software that third-party vendors have developed on behalf of HP? The responsibility in this case is uncertain, because the software is offered by HP as a driver package for their own devices on their website.”
We don’t need to speculate. It was an honest mistake. It’s been fixed. Moving on.
Tagged with HP