Synaptics said reports that claim hundreds of HP laptops contain a secret keylogger made by the company are inaccurate. In a statement released Wednesday, the company said its software was being mischaracterized as a keylogger. It also said it would remove the debugging component from production versions of its Synaptics Touchpad Driver.
Synaptics Says HP Keylogger Is Actually A Debug Tool
Synaptics provides a custom debug tool in the driver to assist in the diagnostic, debug and tuning of the Touchpad. This debug feature is a standard tool in all Synaptics drivers across PC OEMs and is currently present in production versions. This debug tool was turned off after production and prior to shipment.
Each notebook OEM implements custom TouchPad features to deliver differentiation. We have been working with these OEMs to improve the quality of these drivers. To support these requirements and to improve the quality of the experience, Synaptics provides a custom debug tool in the driver to assist in the diagnostic, debug and tuning of the TouchPad. This debug feature is a standard tool in all Synaptics drivers across PC OEMs and is currently present in production versions. This debug tool was turned off after production and prior to shipment. Synaptics believes now, for best industry practices, that it should remove this debug tool for production versions of the driver. Synaptics is unaware of any breach of security related to this debug tool.
After shipment, the supplier or user may wish to further tune and enhance the TouchPad experience by enabling the debug tool. The debug tool cannot be turned on or used except by a person with Admin access and special developer tools. When turned on, the debug tool collects data in a proprietary binary format for a rolling memory buffer that gets either overwritten or deleted every time a power event happens.
Synaptics is working closely with our PC customers to update drivers and to deploy them to address security concerns. Synaptics also recommends using best practices by restricting Admin access to any system as anyone with this level of access can potentially install malware or other anti-privacy software irrespective of whether the debug tool is on or off.
Synaptics takes great pride in making sure that its TouchPad drivers and other products meet industry-best security standards. In our new normal of heightened concern for security and privacy, Synaptics would like to apologize for any concerns that our debug tool may have raised. We have a path to immediately address this issue and other security concerns should they arise.
Synaptics issued a security brief yesterday regarding the reports of a HP Synaptics Keyboard Driver that contained keylogging functionality. In their security brief, Synaptics states that their driver is being mischaracterized as a keylogger and it's simply a debug tool that was purposely added to the driver to help OEMs manufacturers debug their hardware.
While the debug tool was put in place to help notebook manufacturers, it is important to remember that if something exists that can be used, people will try to abuse it. As new security vulnerabilities and exploits are released daily, debug features that can be exploited should not be left in software released for production.
If manufacturers need debugging tool to perform diagnostics on their hardware, then debug drivers should be shipped to them that are used for testing. These debugging functions should then be removed for production ready drivers. Yes, this may make things more difficult, but it is also a much more secure method.
Synaptics, for its part, said in a Synaptics Touchpad Driver -Security Brief that "using a standardized risk scoring system, the Common Vulnerability Scoring System (CVSS), this debug tool scores approximately 2 out of 10, and is classified as a low risk."
Synaptics also recommended "best practices" that restrict "Admin access to any system as anyone with this level of access can potentially install malware or other anti-privacy software irrespective of whether the debug tool is on or off."
The reality, Nash said, is the debugging code that was in the HP laptops was "almost in every case off by default." Furthermore, he said, the debugging tool was not "storing data into a file," but rather kept in a "memory buffer" only used for debugging. Typically, that debugger captures about "40 seconds" of typing, said Nash, and if you reboot the laptop or it goes to sleep the "buffer is wiped out."
HP says that the keylogger was originally built into Synaptics to debug errors and that neither HP or Synaptics has access to customer data but acknowledges that it could lead to a loss of confidentiality.
"Synaptics is working closely with our PC customers to update drivers and to deploy them to address security concerns," they said. "Synaptics also recommends using best practices by restricting admin access to any system as anyone with this level of access can potentially install malware or other anti-privacy software irrespective of whether the debug tool is on or off."
They added: "In our new normal of heightened concern for security and privacy, Synaptics would like to apologise for any concerns that our debug tool may have raised. We have a path to immediately address this issue and other security concerns should they arise." 2ff7e9595c
Comments