HP Laptops Found with Keylogger Built Into Audio Driver
-
@DustinB3403 said in HP Laptops Found with Keylogger Built Into Audio Driver:
@scottalanmiller said in HP Laptops Found with Keylogger Built Into Audio Driver:
https://cdn.arstechnica.net/wp-content/uploads/2017/05/keylogger.jpg
That password though. . . I mean come on "football23" no capitals, or special characters. . . Would you even need a keylogger for that?
My guess for a single cracking machine (8 video cards for massively parallel compute), about 2 minutes.
-
Yeah I actually just shipped one of these laptops back yesterday!
Good thing it was only a trial device and we did nothing with it.
-
@scotth Is the log file showing all keystrokes before you made it readoly?
-
@momurda No. Zero byte file at this time. I haven't checked alternative streams yet.
-
@scotth said in HP Laptops Found with Keylogger Built Into Audio Driver:
@momurda No. Zero byte file at this time. I haven't checked alternative streams yet.
Interesting. While attempting to open the file, I get denied access due to another process.
Edit: It's currently marked as readonly and hidden.
-
@scotth said in HP Laptops Found with Keylogger Built Into Audio Driver:
@scotth said in HP Laptops Found with Keylogger Built Into Audio Driver:
@momurda No. Zero byte file at this time. I haven't checked alternative streams yet.
Interesting. While attempting to open the file, I get denied access due to another process.
Edit: It's currently marked as readonly and hidden.
The executable will delete it and recreate it though.
-
Math is probably wrong, but
football23
10 chars password
36 possiblities per character space only using lowercase letters and numbers
36^10 possibilities roundabout.
3,656,158,440,062,976
If you do 100MillionHashes/second,
365,615,644 seconds or 101,559 hours or 4231 days or 11.5 yearsBut since football is in the dictionary it is likely much easier if your algorithm does dictionary before trying random strings. Either way, it is much easier to do if youre recording keystrokes.
@scotth Can you undo the read only bit and reboot that laptop see what happens?
-
@momurda It would take about a single day for the average computer to brute force that password.
-
@momurda Not right now. I may play around with it tonight. Comodo has a crazy task manager that I'll run on it tonight
-
@momurda said in HP Laptops Found with Keylogger Built Into Audio Driver:
But since football is in the dictionary it is likely much easier if your algorithm does dictionary before trying random strings. Either way, it is much easier to do if youre recording keystrokes.
Yep, dictionary word = not even bothering with brute forcing.
-
@DustinB3403 said in HP Laptops Found with Keylogger Built Into Audio Driver:
@momurda It would take about a single day for the average computer to brute force that password.
What if the authentication back-end implemented a lockout or throttling policy? Like after X attempts the account is locked out and/or authentication responses are delayed by X time?
-
@anthonyh said in HP Laptops Found with Keylogger Built Into Audio Driver:
@DustinB3403 said in HP Laptops Found with Keylogger Built Into Audio Driver:
@momurda It would take about a single day for the average computer to brute force that password.
What if the authentication back-end implemented a lockout or throttling policy? Like after X attempts the account is locked out and/or authentication responses are delayed by X time?
That's great so long as it's not an offline attack. IE: Do you know who's seen your salt?
-
@travisdh1 said in HP Laptops Found with Keylogger Built Into Audio Driver:
@anthonyh said in HP Laptops Found with Keylogger Built Into Audio Driver:
@DustinB3403 said in HP Laptops Found with Keylogger Built Into Audio Driver:
@momurda It would take about a single day for the average computer to brute force that password.
What if the authentication back-end implemented a lockout or throttling policy? Like after X attempts the account is locked out and/or authentication responses are delayed by X time?
That's great so long as it's not an offline attack. IE: Do you know who's seen your salt?
That makes sense.
-
Last night, I fired up KillSwitch (Comodo Task Manager on Steroids), killed the process - MicTray_64.exe (can't really remember) and the log file was released for editing / viewing.
Sneaky. -
-
So I have a Spectre 360 and it has the MicTray64.exe, associated process, and the logfile in C:\Users\Public\MicTray.log. The log file is zero bytes though and appears to be empty. I'm wondering if it isn't logging, or if the list of affected machines is longer than officially announced.
-
@Kelly said in HP Laptops Found with Keylogger Built Into Audio Driver:
So I have a Spectre 360 and it has the MicTray64.exe, associated process, and the logfile in C:\Users\Public\MicTray.log. The log file is zero bytes though and appears to be empty. I'm wondering if it isn't logging, or if the list of affected machines is longer than officially announced.
The driver is Conexant via whomever it's hardware ends up on.
-
@scotth said in HP Laptops Found with Keylogger Built Into Audio Driver:
@Kelly said in HP Laptops Found with Keylogger Built Into Audio Driver:
So I have a Spectre 360 and it has the MicTray64.exe, associated process, and the logfile in C:\Users\Public\MicTray.log. The log file is zero bytes though and appears to be empty. I'm wondering if it isn't logging, or if the list of affected machines is longer than officially announced.
The driver is Conexant via whomever it's hardware ends up on.
Does that mean that other vendors might have this too? I mean, it might, that we know. But why has only HP been discovered thus far? Is it an HP version of the driver? Is it HP unique hardware?
-
@StrongBad said in HP Laptops Found with Keylogger Built Into Audio Driver:
@scotth said in HP Laptops Found with Keylogger Built Into Audio Driver:
@Kelly said in HP Laptops Found with Keylogger Built Into Audio Driver:
So I have a Spectre 360 and it has the MicTray64.exe, associated process, and the logfile in C:\Users\Public\MicTray.log. The log file is zero bytes though and appears to be empty. I'm wondering if it isn't logging, or if the list of affected machines is longer than officially announced.
The driver is Conexant via whomever it's hardware ends up on.
Does that mean that other vendors might have this too? I mean, it might, that we know. But why has only HP been discovered thus far? Is it an HP version of the driver? Is it HP unique hardware?
In all honesty, I don't know. But I wouldn't be surprised if it ended up on a bunch of OEM branded equipment. I'm guessing that HP's just got found out 1st.
-
I'm surprised that every vendor isn't being checked, it could be everywhere, in theory.
