A potentially vulnerable touchpad driver puts a wide range of laptops at risk. We explain how to tell if yours is affected.
A keylogger has been found in the trackpad driver used by a large number of notebooks. The issue was discovered on an HP notebook by Michael Myng.
While trying to work out how to control the keyboard backlight, Myng spotted some strings in the SynTP.sys driver that he associated with keylogging, prompting his investigation. He determined that the keylogging functionality was disabled by default, but could be enabled by setting a registry value.
Exploiting the keylogger requires administrative privileges, but presumably that could be achieved by taking advantage of privilege escalation vulnerability – or by a malicious administrator.
Myng reported his findings to HP, which released an updated driver. In the security bulletin, HP recommended customers take prompt action to update the affected driver.
A wide range of HP products included the driver in question, among them various Compaq, Elite, EliteBook, Envy, Pavillon, ProBook, Spectre Pro, Split and ZBook notebooks, mobile workstations and mobile thin clients.
HP noted that the problem existed in the Synaptics touchpad drivers, and that systems from other vendors could be affected.
Updates and fixes
Synaptics claimed the debugging tool in its touchpad drivers was “mischaracterized” as a keylogger, but said “Synaptics believes now, for best industry practices, that it should remove this debug tool for production versions of the driver.”
Driver updates have been made available via Windows Update, Synaptics said.
According to Myng, a way to check whether any particular computer is affected is to run:
findstr.exe ulScanCode SynTP.sys
from the command line. “If the driver is clean findstr won't print anything.”
