Why snafus like HP’s keylogger will happen again

The problem wasn't the length of time it took HP to respond to security researchers—it's that unreviewed code proliferates supply chains everywhere

Why snafus like HP’s keylogger will happen again
Credit: Thinkstock

As Woody Leonhard explained last week, HP laptops have come with a little added extra ever since Christmas 2015: a keylogger. HP has confirmed to me that the report from Thorsten Schroeder of ModZero is correct and the company has been urgently working on fixes.

The keylogger is built into a device driver supplied to HP by Conexant Systems. It places every single keystroke you make in a log file on the computer. The file is deleted and a new one is started every time you log on to Windows, but if you use an incremental backup system or rarely reboot, there's a good chance that every password, credit card number, personal detail, and regretted communication you ever typed is stored safely waiting for a hacker or subpoena to make it public.

Schroeder made the keylogger public after receiving no response from either HP and Conexant. But it turns out ModZero had actually informed HPE, not HP (the two are now operating independently) and grew impatient too fast, allowing less than two weeks before going public. Mike Nash, HP’s vice president of consumer PC products, told me that despite this the company had received the alert and regretted the breakdown in communication.

According to Nash, HP accepts full responsibility for the entire matter, and fixes for the affected drivers across two generations of systems were ready for release Friday. His team is working with Microsoft to incorporate the new drivers in Windows updates so users can have the vulnerability fixed automatically. Nonetheless, for safety, you should still take the actions Woody describes.

Nash also confirmed that the keylogger was part of a joint debugging exercise between HP and Conexant and had been left in the driver by mistake. He emphasized that HP had not been collecting any of the data involved, unlike some previous consumer PC issues that he did not name, and he told me that in the future, HP will conduct code reviews with suppliers like Conexant to try to avoid a recurrence.

That's all reassuring. The real issue here is not that HP was unresponsive: Once the company learned of the problem, it reacted quickly, fixing a driver in two generations of over thirty devices in at most 14 working days. The problem is that desktop systems today are closed boxes we have no option but to trust, which no single entity has inspected.

It is the natural consequence of global supply chains and outsourcing. It’s possible HP doesn’t even have people with the experience or time to review the code they ship in their devices now all the enterprise-grade software staff are at HPE (or, worse, let go) following the restructuring of the company. As a result they are totally dependent on contractual protection. Nash alluded to this, telling me the availability of fixes so soon would have been impossible without early warning about the issue.

This is the situation we have reached. Complex, stateful desktop systems are being created by long supply chains that span the globe. Designs are updated often and are built with parts sourced from ever-changing suppliers under different regulatory regimes. Components and their drivers contain proprietary code no one but the manufacturer has read. As Nash admitted, it's impossible for HP or any modern OEM to fully understand and review every part of the systems they ship.

Checking for and fixing this particular issue is not too hard. But the combination of supply chain error and security researcher immaturity will happen again. Should we tolerate this risk? Maybe we need to break that problem apart--stateless desktops, open source code, cloud-hosted statefulness--if we're to avoid disaster.

Related: