Samsung Installs Keylogger On Its Laptops

[Infiltrator]

Samsung installs keylogger on its laptops

User discovers that Samsung is pre-loading keyloggers on its laptop computers.

By Jeff Caruso on Wed, 03/30/11 - 12:05pm.

[uPDATE: Samsung has launched an investigation into the matter and is working with Mich Kabay and Mohamed Hassan in the investigation. Samsung engineers are collaborating with the computer security expert, Mohamed Hassan, MSIA, CISSP, CISA, with faculty at the Norwich University Center for Advanced Computing and Digital Forensics, and with the antivirus vendor whose product identified a possible keylogger (or which may have issued a false positive). The company and the University will post news as fast as possible on Network World. A Samsung executive is personally delivering a randomly selected laptop purchased at a retail store to the Norwich scientists. Prof. Kabay praises Samsung for its immediate, positive and collaborative response to this situation.]

A user discovered a keylogger pre-installed on two brand-new Samsung laptops that the company admitted was there to "monitor the performance of the machine and to find out how it is being used."

Mohamed Hassan wrote in Mich Kabay’s Security Strategies newsletter that as soon as he received his Samsung R525 laptop, he ran a full system scan and found a commercial keylogger called StarLogger.

StarLogger claims it records every keystroke made on the computer, even on password-protected boxes, starting up whenever the computer starts up. The software emails results at intervals to a specified email address and will even include screen captures.

Hassan ended up buying a second Samsung laptop, a model R540, and found the same keylogger installed on that one.

"The fact that on both models the same files were found in the same location supported the suspicion that the hardware manufacturer, Samsung, must know about this software on its brand-new laptops," he writes.

Hassan reports that at first Samsung Support personnel denied that they installed the software and directed him to Microsoft, but then eventually admitted that Samsung was responsible.

As Hassan notes, the incident is reminiscent of the Sony BMG rootkit fiasco of 2005. At the time, Sony BMG used a rootkit to monitor computer user behavior and limit how music CDs were used on the computer.

Kabay says that Samsung has not responded to further requests for comment.

Source: http://www.networkworld.com/community/blog/samsung-installs-keylogger-its-laptops

[Infiltrator]

Now whose to believe in?

What is Samsung trying to do, anyway?

Will never by a laptop from them.

Edited March 31, 2011 by Infiltrator

[TuX^]

My opinion of Samsung have completely changed after reading this post. Wasn't too long ago Sony was installing rootkits onto computers. Really makes you wonder..

[digip]

I saw something on that this morning about how they come from the factory pre-installed with key loggers, but they were investigating it, since it apparently was an inside job and not exactly something they did as a business practice. Will see as more news emerges what actually happened but either way, its pretty shady to have anything like that preinstalled on any device.

Personally, I backup drivers and reinstall from scratch on all my new machines anyway, because I hate all the extra bloat and crapware they come with, but this is all the more reason to wipe machines once you buy them. Then again, if there were hardware monitors in place, they could potentially be undetectable all together, and no one would know unless they were doing MITM on each machine to see what is coming across the wire.

I wouldn't be surprised if there are other devices that ship with similar "features" from the factory, whether software based or even hardware based. If for instance a company like HP was ordered by the government to give them backdoors into some of their devices, they probably wouldn't disclose this publicly either, but I doubt they would use something software based that could be detected like in the case of Samsung.

[Mr-Protocol]

Now whose to believe in?

What is Samsung trying to do, anyway?

Will never by a laptop from them.

It's simple to remove, Or format with linux. It's software, it can be removed and if you think this is the last time you will see something like this, pretty sure you are wrong lol. Sony did it, Samsung did it, probably many others...

Wont be the last time you see a rootkit installed of sorts. I'm sure someone just slapped it in their "test" images and then it hit production and either put it there on purpose or forgot they were messing with it.

[digip]

Some thoughts on the issue by others

Theory on Samsung keylogger: Systems imaged w/USB. Subset of systems imaged by 1 or 2 tech's USB keys infected. Wish for better article.

-

http://www.pcworld.com/article/223823/samsung_series_9_laptop_shows_no_signs_of_spyware.html

richeemxx says:

Wed Mar 30 19:59:56 PDT 2011

Talk about some serious over hyped reporting here. I've not seen a single corroborating report that shows there is any validity to the guys story yet almost every media source has ran with this story.

Its possible the researcher himself may have infected the machines, which would be a real kicker, but will have to wait until they do more investigating.

Edited March 31, 2011 by digip

[Mr-Protocol]

LOL That would be a HUGE fail on his part. If it was the "researcher" then I can only expect Samsung to sue...

[Infiltrator]

It's simple to remove, Or format with linux. It's software, it can be removed and if you think this is the last time you will see something like this, pretty sure you are wrong lol. Sony did it, Samsung did it, probably many others...

Wont be the last time you see a rootkit installed of sorts. I'm sure someone just slapped it in their "test" images and then it hit production and either put it there on purpose or forgot they were messing with it.

Things like that can happen quite often, so I don't think it's going to be a one off thing.

And besides I read an article before, where an user discovered a Trojan horse installed on his new Dell laptop.

And frankly soon or later there will be another or similar case.

Edited March 31, 2011 by Infiltrator

[Infiltrator]

"Theory on Samsung keylogger: Systems imaged w/USB. Subset of systems imaged by 1 or 2 tech's USB keys infected. Wish for better article."

There should be a policy/process in place that prevents technicians from using their USB keys, when creating images.

I don't think that's cool and its totally unprofessional on their part.

Edited March 31, 2011 by Infiltrator

[buffy]

Key logger story is false: http://www.theregister.co.uk/2011/03/31/samsung_keylogger_rumour_debunked/

[Sitwon]

According to the latest reports, Samsung never installed a keylogger on their laptops. A commercial security tool flagged on the directory path alone and gave a false-positive for a folder that was created by Microsoft for multilingual support ('SL' being the language code for Sloveian).

Samsung, VIPER (the product that gave the false-positive), StarLogger (the falsely identified key logger), and F-Secure have all confirmed that StarLogger was not installed by default on an Samsung laptops and it was a false-positive due to the similarity of the directory path alone.

https://threatpost.com/en_us/blogs/samsung-keylogger-case-turns-out-be-false-positive-033111

http://www.engadget.com/2011/03/31/samsung-reportedly-installing-keylogger-software-on-r525-privac/

http://www.networkworld.com/newsletters/sec/2011/032811sec2.html

[Infiltrator]

It had me thinking in there for a while, but good to see it was an Antivirus signature mistake.

False Positives can happen quite often, so not something that can be avoided easily, if you are an AV maker.

Edited April 2, 2011 by Infiltrator

[theyettihunta]

I can see how this mistake may have been made.

But, couldn't it also just be a cover up.

Samsung did previously say "monitor the performance of the machine and to find out how it is being used".

Is it that hard to believe that maybe the government is issuing this and other hardware installs alike. I personally have always had the suspicion that windows would one day have a government backdoor.

I could just be over thinking this, but then again a lot of people could be under thinking it.

[Seshan]

I can see how this mistake may have been made.

But, couldn't it also just be a cover up.

Samsung did previously say "monitor the performance of the machine and to find out how it is being used".

Is it that hard to believe that maybe the government is issuing this and other hardware installs alike. I personally have always had the suspicion that windows would one day have a government backdoor.

I could just be over thinking this, but then again a lot of people could be under thinking it.

Who said that was some idiot in some foreign country that probably doesn't know anything about computers and didn't know what a keylogger was for. Do you think samsung would really admit to installing keyloggers? Come on.

Not to self. Never use Viper AV, it's shit.

[Sitwon]

I can see how this mistake may have been made.

But, couldn't it also just be a cover up.

Considering Samsung, StarLogger, VIPER, F-Secure, and Microsoft are all saying that there's nothing there... I'm inclined to believe that there's nothing there.

If it was just two of those companies, then I would entertain the idea of a conspiracy, but StarLogger, VIPER, and F-Secure certainly have nothing to gain by covering it up.

Edit: Besides, there was never a smoking gun here. If Samsung laptops have keyloggers on them, how come nobody who owned a Samsung laptop came forward to confirm it with a packet capture or log file showing the recorded keystrokes?

Edited April 2, 2011 by Sitwon

[Infiltrator]

Considering Samsung, StarLogger, VIPER, F-Secure, and Microsoft are all saying that there's nothing there... I'm inclined to believe that there's nothing there.

If it was just two of those companies, then I would entertain the idea of a conspiracy, but StarLogger, VIPER, and F-Secure certainly have nothing to gain by covering it up.

Edit: Besides, there was never a smoking gun here. If Samsung laptops have keyloggers on them, how come nobody who owned a Samsung laptop came forward to confirm it with a packet capture or log file showing the recorded keystrokes?

Because it would take more than an average user to it.

[Sitwon]

Because it would take more than an average user to it.

No. Keyloggers are fairly conspicuous and easy to detect. Anyone with a bit of debugging knowledge and access to a Samsung laptop could have easily tested whether or not there was an active keylogger on the system. In fact, anyone with access to a Samsung system could have opened the C:\Windows\SL folder and checked out what the file in there actually was. People were all too eager to accept this one at face value and nobody bothered to verify it before re-posting it all over the place.

[Infiltrator]

No. Keyloggers are fairly conspicuous and easy to detect. Anyone with a bit of debugging knowledge and access to a Samsung laptop could have easily tested whether or not there was an active keylogger on the system. In fact, anyone with access to a Samsung system could have opened the C:\Windows\SL folder and checked out what the file in there actually was. People were all too eager to accept this one at face value and nobody bothered to verify it before re-posting it all over the place.

Interesting, what if the user is not advanced enough, I think the experience level also counts.

I know people who has been using computers for a while, and basic stuff like opening task manager or keeping the AV updates lacks in them.

[Seshan]

Interesting, what if the user is not advanced enough, I think the experience level also counts.

I know people who has been using computers for a while, and basic stuff like opening task manager or keeping the AV updates lacks in them.

There are plenty of smart people who buy Samsung laptops. It they where really installing keyloggers on their laptops there would be proof. The fact that they created a empty folder named SL and the AV picked it up proves that it was a AV problem. The companies backing that it was a false positive would not risk their reputation just to protect a samsung.

/end.

[Infiltrator]

There are plenty of smart people who buy Samsung laptops. It they where really installing keyloggers on their laptops there would be proof. The fact that they created a empty folder named SL and the AV picked it up proves that it was a AV problem. The companies backing that it was a false positive would not risk their reputation just to protect a samsung.

/end.

Can't argue with that! It was an antivirus problem.

Thread is now closed.