Samsung Installs Stealthy KeyLogger on Brand-New Laptops

In what would cause anyone to ask, "Why would you do that?" a report claims Samsung is shipping brand-new laptops with an active keylogger installed. It's unknown to the buyer or anyone who uses the machines.

Samsung installed a commercial keylogger on brand-new laptops to monitor customer usage, the company admitted after a user exposed the practice in a security newsletter.

The keylogger was discovered by Mohamed Hassan on two Samsung laptops, the R525 and R540, according to his post on the Security Strategies Alert newsletter run by Mich Kabay, CTO of Adaptive Cyber Security Instruments. In a two-part series, Hassan described how he found the keyloggers and how Samsung denied installing them

Samsung later admitted the software was there to "monitor the performance of the machine and to find out how it is being used," according to Hassan.

While setting up a new Samsung R525 laptop in early February, Hassan ran a full-system scan using an unnamed "licensed commercial security software" before installing anything else. The scan found two instances of a commercial keylogger, called StarLogger, installed within the Windows directory, he wrote.

StarLogger, from a company called de Willebois Consulting, can be downloaded from a number of sites for free. It claims to record every keystroke made on the computer, even on password-protected systems. Completely undetectable, the keylogger starts up when the computer starts up, and sees everything being typed, including email, documents and login credentials. The software periodically emails the collected data and screen captures to a defined email address.

Hassan determined that the software had been installed by Samsung and cleaned off the software. Shortly after, he bought a Samsung R540 from a different store and found the same StarLogger program in the same location after running a full-system scan during the initial setup. This confirmed his suspicion that Samsung must know about the software on brand-new laptops, wrote Hassan.

"The findings are false-positive proof since I have used the tool that discovered it for six years now, and I [have] yet to see it misidentify an item throughout the years," Hassan wrote.

Hassan called and logged the incident with Samsung Support March 1. The company initially denied the presence of the keylogger, much "as Sony BMG did six years ago," Hassan wrote, in reference to Sony's installing a rootkit on its music CDs in the fall of 2005 to monitor computer-user behavior and limit how they were copied.

At the time, Mark Russinovich, the developer who found the Sony BMG rootkit, warned, "Consumers don't have any kind of assurance that other companies are not going to do the same kind of thing [as Sony]."

"How right has Mr. Russinovich been," Hassan wrote.

Samsung tried to lay the blame on Microsoft since "all Samsung did was to manufacture the hardware," according to Hassan.

A support supervisor then confirmed that Samsung knowingly put this software on the laptop to "monitor the performance of the machine and to find out how it is being used," Hassan discovered.

Samsung wanted to gather usage data without obtaining consent from laptop owners, Hassan concluded. He called it a "d??«j??í vu security incident" and said there were legal, ethical and privacy implications for both businesses and individuals who may purchase and use Samsung laptops.

Samsung could also be liable should the vast amount of information collected through StarLogger fall into the wrong hands, he speculated.

Samsung didn't respond to requests for comment.