Researcher Discovers Hidden Keylogger in HP Keyboard Driver

UPDATED: The Synaptics Touchpad driver which is widely used on HP laptops, included a keylogger, though it wasn't enabled by default.


Users of a number of different HP laptops are being urged to update drivers, after security researcher Michael Myng revealed a potential keylogger risk with the integrated Synaptics Touchpad driver.

Myng who is also known by his online alias ZwClose, first publicly mentioned the issue in a Twitter message on Dec. 6. In a message sent to eWEEK, Myng said that he notified HP in August and it took HP a few months to release the update.

A full technical writeup on the Synaptics Touchpad driver as integrated by HP in over a hundred different laptop models, was published by Myng on Dec. 7. The keylogger is not enabled by default, but could have potentially been turned on by a malicious attacker.

"HP was advised of an issue that exists with Synaptics' touchpad drivers that impacts all Synaptics OEM partners," HP wrote in a statement sent to eWEEK. "HP uses Synaptics' touchpads in some of its mobile PCs and has worked with Synaptics to provide fixes to their error for impacted HP systems, available in the security bulletin on"

HP quietly released the advisory and patches for the touchpad keylogger issue on Nov. 7. Though a keylogger has the potential to log all keystrokes on a system, HP noted in its' statement that it had no access to customer data as a result of this issue.


Joseph Carson, Chief Security Scientist at Thycotic said that risk of the keylogger vulnerability is that a cyber-criminal or malicious insider could use the vulnerability to capture keystrokes on an exploited device.  

"This means anything typed using one of the affected systems could be recorded including confidential, financial or even personal details," Carson told eWEEK. "The vulnerability however does require administrator privileges to exploit it."

Carson added that an attacker that could compromise administrator privileges to enable the keylogger, so that it would stay hidden and not trigger any alarms. The issue could could also have been abused by an insider who already has administrator privileges, according to Carson. 

Marcus Carey, CEO and Founder of Threatcare, downplayed the Synaptics keylogger as not being a new type of risk for users.

"I don't think this was a real risk for users because to access the keylogger the machine would have been compromised by a malicious user," Carey told eWEEK. "Additionally, keyloggers are a dime-a-dozen type of utility and there are plenty of them to be used by attackers."

What Should Users Do?

Regardless of whether or not the flaw has ever been publicly used to exploit users, there is a potential risk that users should mitigate. HP has provided patches for its impacted systems that users can download here.

"If I were writing the Ten Commandments for Cyber-security, patching would be the first thing on the list," Carey said. "Patching is absolute the best thing any [user] can do to protect themselves from most risks."

Carson commented that it's important for users to understand and determine if the keylogger was enabled at any point.  He added that it's also a good practice to use two-factor authentication tools and to consider changing passwords if any suspicious or unauthorized activity is suspected.

Synaptics has now also responded to the touchpad driver issue, claiming that the issue is not in fact a keylogger.

"The author used an unfortunate word, "keylogger" to describe a debug tool that is used by PC companies to test, debug and customize their solutions prior to shipping," Synaptics stated. "This debug tool is turned off by default and the debug code is activated only through very specific circumstances."

Synaptics added that in terms of risk, the debug tool cannot be used except by a person with PC Admin access and developer tools.

"Please note that with Admin access to a PC, a person with malicious intent can install malware and other anti-privacy tools regardless of this debug tool," Synaptics stated.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Editor's Note: This article was updated with a Synaptics statement that said the Touchpad drive included the software for a code debugger, not a "keylogger."

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.