HP keylogger: How did it get there and how can it be removed?

Posted on Updated on

Originally seen: October 2017 TechTarget.

 keylogging flaw found its way into dozens of Hewlett Packard laptops. Nick Lewis explains how the HP keylogger works and what can be done about it.

More than two dozen models of Hewlett Packard laptops were found to contain a keylogger that recorded keystrokes into a log file. HP released patches to remove the keylogger and the log files. How did the HP keylogger vulnerability get embedded in the laptops? And is there anything organizations can do to test new endpoint devices?

When it comes to security, having high expectations for security vendors and large vendors with deep pockets is reasonable given that customers usually pay a premium believing the vendors will devote significant resources to secure their products. Unfortunately, as with most other security teams, companies often don’t have enough resources or organizational fortitude to ensure security is incorporated into all of the enterprise’s software development.

But even the most secure software development can enable security issues to slip through the cracks. When you add in an outsourced hardware or software development team, it’s even easier for something to go unnoticed.

So while vendors might talk a good talk when it comes to security, monitoring them to ensure they uphold their end of your agreement is absolutely necessary.

One case where a vulnerability apparently escaped notice was uncovered when researchers at Modzero AG, an information security company based in Winterthur, Switzerland, found that a bug had been introduced into HP laptops by a third-party driver installed by default.

But even the most secure software development can enable security issues to slip through the cracks.

The vulnerability was discovered in the Conexant HD Audio Driver package, where the driver monitors for certain keystrokes used to mute or unmute audio. The keylogging functionality, complete with the ability to write all keystrokes to a log file, was probably introduced to help the developers debug the driver.

We can hope that the HP keylogger vulnerability was left in inadvertently when the drivers were released to customers. Modzero found metadata indicating the HP keylogger capability was present in HP computers since December 2015, if not earlier.

It’s difficult to know whether static or dynamic code analysis tools could have detected this vulnerability. However, given the resources available to HP in 2015, including a line of business related to application and code security, as well as the expectations of their customers, it might be reasonable to assume HP could have incorporated these tools into their software development practices. However, the transfer of all of HP’s information security businesses to a new entity, Hewlett Packard Enterprise, began in November 2015, and was completed in September 2017, when Micro Focus merged with HPE.

It’s possible that Modzero found the HP keylogger vulnerability while evaluating a potential new endpoint for an enterprise customer. They could have been monitoring for open files, or looking for which processes had the files open to determine what the process was doing. They could have been profiling the individual processes running by default on the system to see which binaries to investigate for vulnerabilities. They could even have been monitoring to see if any processes were monitoring keystrokes.

Enterprises can take these steps on their own or rely on third parties to monitor their vendors. Many enterprises will install their own image on an endpoint before deploying it on their network — the known good images used for developing specific images for target hardware could have their unique aspects analyzed with a dynamic or runtime application security tool to determine if any common vulnerabilities are present.

Intel AMT flaw: How are corporate endpoints put at risk?

Posted on Updated on

Originally Seen: TechTarget by Judith Myerson

A recent flaw in Intel’s Advanced Management Technology enables hackers to gain access to endpoint devices. Discover how this flaw can be mitigated with expert Judith Myerson.

A flaw in Intel’s Advanced Management Technology enables hackers to exploit a simple vulnerability and gain control of corporate laptops. How is this possible, and what is the best way to mitigate the Intel AMT flaw?

Exploiting the flaw in Intel’s Advanced Management Technology (AMT) takes a few seconds. An attacker boots up his laptop by pressing CTRL-P, and then logs on to the Intel Management Engine BIOS Extension using admin as the default password. After changing the password, the attacker sets the user opt-in to None and connects to the victim’s laptop, bypassing a strong BIOSpassword and username.

The flaw enables the attacker to remotely access, read and modify data and applications that are assigned to a corporate user, and potentially even transfer them to the attacker’s server. Potential victims may be untargeted and merely be located in a waiting room or a public place. If the attacker finds that the victim’s laptop doesn’t have AMT, they can then search until a victim whose laptop requires AMT is found.

The best way to mitigate the Intel AMT flaw is to use Microsoft System Center Configuration for laptops connected to a Windows domain. System administrators can use it to:

  • Remotely query all corporate laptops about suspicious passwords.
  • Provision each laptop to require a strong password of 8 or more characters — a combination of numbers, letters and special characters is strongly recommended — and establish a policy on how often the password should be changed.
  • Disable AMT for all laptops that don’t require it. This means the corporate IT staff will not be able to have remote control over these laptops and will need to find other ways to remotely secure them.

Any laptops found to be affected should be addressed by enterprise security teams, and corporate incident response procedures should be used.