HP Chief Technologist Nash: Touchpad Debug Tool Security Issue Is Fixed, Partners Should Check Other OEM Laptops
HP Chief Technologist Mike Nash Wednesday told CRN that the Synaptics Touchpad debug tool security issue impacting about 460 HP laptops has been "fixed" with security updates.
At the same time, Nash cautioned partners to make sure that the Synaptics debug tool issue is not affecting the laptop products from other OEM partners.
"We have worked with Synaptics to address this issue with new drivers that remove this code," said Nash. "We fixed it. We have a fix at HP.com. What I don't know is for the other companies also using Synaptics if their devices have had the fixes made available and deployed."
Nash told CRN that the debug tool issue was reported by a security researcher in August and HP began working immediately with Synaptics to provide software updates for the impacted Touchpad drivers.
HP issued a support communication security bulletin on November 7 titled: "Synaptics Touchpad Driver Potential, Local Loss of Confidentiality" with security updates. "For every device that was affected there is a driver on HP.com that corrects the problem," said Nash.
The majority of the HP security updates have been marked as "critical" on Windows update so that they get installed automatically, said Nash. The remaining updates will be marked as critical and automatically provided on Windows update within the next week, he said.
Synaptics, for its part, said in a Synaptics Touchpad Driver -Security Brief that "using a standardized risk scoring system, the Common Vulnerability Scoring System (CVSS), this debug tool scores approximately 2 out of 10, and is classified as a low risk."
That said, the company noted, that in today’s "heightened sensitivity to security and privacy, Synaptics will take the precautionary steps of defeaturing the debug tool for production drivers to further prevent the tool from being used in an unintended and malicious way."
Furthermore, Synaptics said it is "working closely with our PC customers to update drivers and to deploy them to address security concerns."
Synaptics also recommended "best practices" that restrict "Admin access to any system as anyone with this level of access can potentially install malware or other anti-privacy software irrespective of whether the debug tool is on or off."
Synaptics also apologized for any "concerns" that the debug tool may have raised. "We have a path to immediately address this issue and other security concerns should they arise," the company said.
Synaptics said some articles that "purported there was "keylogger" in its Touchpad drivers were inaccurate. "Our debug tool was mischaracterized in the articles as "keylogger," said the company.
Nash said there was a "lot of misinformation out there that made people more worried than they needed to be."
The reality, Nash said, is the debugging code that was in the HP laptops was "almost in every case off by default." Furthermore, he said, the debugging tool was not "storing data into a file," but rather kept in a "memory buffer" only used for debugging. Typically, that debugger captures about "40 seconds" of typing, said Nash, and if you reboot the laptop or it goes to sleep the "buffer is wiped out."
Rick Chernick, the CEO of Camera Corner Connecting Point, a longtime Green Bay, Wis., HP partner (No. 323 on the 2017 CRN SP500), said no vendor is investing more time, money and resources into security than HP.
"I am glad HP is on top of this," Chernick said. "Security is an ongoing issue for everybody. I have every confidence that HP is doing what needs to be done here to protect customers.
"Nobody can touch what HP Is doing in security. They are far ahead of everyone in security. I work with them day in and day out and know security is at the very top of everything they do."