HP issues urgent security update

Dozens of laptop models sold by HP contain built-in "keylogging" technology that stores everything users type, researchers have warned.

The records of what users type on the keyboard were stored in plain text on the computers, meaning anyone with access to them could read messages, passwords, web searches and credit card numbers if they knew where to look.

HP issued a fix for some of the affected models on Thursday night and promised another for the rest of the devices would be released today.

The bug affects 28 HP laptops sold in 2015 and 2016, including EliteBook, ProBook and ZBook models.

HP did not install the keylogging software deliberately, the researchers said, but it was included as part of a driver for Conexant, whose audio chips are included in the laptops.

The driver monitored keystrokes to look out for users pressing audio control keys to pause or change volume, but monitored and stored the entire keyboard activity. Modzero, the security company that discovered the flaw, said it could also feature on other laptop brands.

Keyloggers are seen as one of the most malicious forms of computer viruses, capable of tracking everything a user types and sending them to hackers remotely. Although there is no suggestion that the HP bug shared any of the data, if a computer was shared or someone got hold of it, a wealth of personal information would be at their disposal.

The file where users' keystrokes are stored on the laptops is overwritten every time a computer reboots, but computer forensics experts are able to recover deleted files.

"There is no evidence that this keylogger has been intentionally implemented. Obviously, it is a negligence of the developers - which makes the software no less harmful," Modzero's researchers wrote.

It said it had revealed the flaw to HP and Conexant, but that neither had responded to contact requests.

"HP is committed to the security and privacy of its customers and we are aware of the keylogger issue on select HP PCs," a spokesman said.

"HP has no access to customer data as a result of this issue. Our supplier partner developed software to test audio functionality prior to product launch and it should not have been included in the final shipped version. Fixes will be available shortly via HP.com."