Samsung installs keylogger on its laptop computers

Am I the only one that wipes the OEM operating system as soon as I buy a computer? Even if I'm putting Windows right back on it?<p>I started doing it because of the crap they bundle in there, but this seems like an unintended good reason to do so as well.

Off-topic: I wrote a <i>very primitive</i> passive keystroke logger a few years ago (just to demonstrate how they work). I still have the source code and folks email me about it often:<p><a href="https://github.com/16s/16k" rel="nofollow">https://github.com/16s/16k</a><p>My example is <i>really trivial</i> and it only works on Windows, but it works well and demonstrates the concept of passive keystroke logging. Unlike system wide hooks, passive logging just monitors the key states. Sort of like when you are playing a video game and press the 'P' key. The game pauses because it's monitoring the P key's state (up or down) and can tell when it changes. Extend that concept to the entire keyboard and you have a passive keystroke logger.<p>Passive loggers are more challenging to detect as well and they run just fine as a normal user (no need to be root).

"The statements that Samsung installs keylogger on R525 and R540 laptop computers are false.<p>"After investigating into this matter, it was found that the software installed was in fact Vipre, not the commerical keylogger called StarLogger. The confusion arose because Microsoft's Live Application multi-language support folder, 'SL' folder, was mistaken for StarLogger<p>"(Live Application is Microsoft's application which provides messenger, email, video, photo gallery functions. Depending on the language, under C:\windows folders 'SL' for Slovak, 'KO' for Korean, 'EN' for English are created.)"<p><a href="http://www.samsungtomorrow.com/1071" rel="nofollow">http://www.samsungtomorrow.com/1071</a>

This strikes me as dubious at best. I think a more likely explanation is that his detection software is flagging anything with the path "c:\windows\SL" as malware.<p>He says "This key logger is completely undetectable," which is clearly untrue (he has allegedly detected it).<p>If it's logging his keystrokes, it's either storing them locally or sending them off somewhere else, or both. If he's as qualified as he says, he should be able to find out which (find a file that increases in size after a lot of keystrokes, use Wireshark...).

Talk about burying the lede...<p>And what does he mean by "After the initial set up of the laptop"? What exactly did he do? Couldn't it just mean that the security software he is using to do the scan or the media he is using is infected? I just think this sounds fishy until he's verified it with a completely different set of tools.

<a href="http://www.networkworld.com/newsletters/sec/2011/040411sec1.html" rel="nofollow">http://www.networkworld.com/newsletters/sec/2011/040411sec1....</a><p><i>Samsung responds to installation of keylogger on its laptop computers</i><p><i>The supervisor who spoke with me was not sure how this software ended up in the new laptop thus put me on hold. He confirmed that yes, Samsung did knowingly put this software on the laptop to, as he put it, "monitor the performance of the machine and to find out how it is being used."</i><p><i>In other words, Samsung wanted to gather usage data without obtaining consent from laptop owners.</i><p>[…]<p><i>We contacted three public relations officers for Samsung for comment about this issue and gave them a week to send us their comments. No one from the company replied.</i>

<i>Mohamed Hassan, MSIA, CISSP, CISA graduated from the Master of Science in Information Assurance (MSIA) program from Norwich University in 2009</i><p>Really bad way to start an article. Who cares about all these qualifications? Did he find a key logger and how did Samsung respond?<p>Unfortunately, they have decided to make us wait for the response. That seems really lame IMHO.

<i>The findings are false-positive proof since I have used the tool that discovered it for six years now and I am yet to see it misidentify an item throughout the years.</i><p>Thus, it is false-positive proof? Why wouldn't he test it against other tools? Why wouldn't he try to find out as much about this as you can before writing an accusatory article?<p>Further, why is he running a full-system security scan on a fresh installation of Windows? Is that normal? If this is a genuine accusation of wrongdoing, then I think that the actual sequence of events and his entire methodology should be disclosed.

It would be interesting to hear from the HN community, people with Samsung laptops, if they've had this happen, or if they check now, if this keylogger is discovered.

Samsung's response is here: <a href="http://www.networkworld.com/newsletters/sec/2011/040411sec1.html" rel="nofollow">http://www.networkworld.com/newsletters/sec/2011/040411sec1....</a>

Thank heavens this was software based - now imagine if they shipped keyboard firmware with a built in keylogger! Who knows, may be some do - that would be nearly impossible to detect as they can encrypt it.<p>On a related note - My bank requires me to use a on-screen virtual keyboard to log into the online account. The keys of this virtual keyboard are randomly rearranged every time it is invoked. That could certainly beat keyloggers.

I would have expected this to show up from many different sources. The fact that only one person is reporting this makes the story somewhat suspect. Surely he's not the only Samsung owner to run a malware scan.

This isn't the first time Samsung did this kind of thing. On their android phones, they have a system called CarrierIQ that is deeply embedded into the system and can monitor practically all aspects of phone usage.<p><a href="http://forum.xda-developers.com/showpost.php?p=11763089" rel="nofollow">http://forum.xda-developers.com/showpost.php?p=11763089</a>

So, has ANYONE verified this independently yet?

Here's a plausible scenario under which Samsung is innocent:<p>1) Starlogger is part of the security software Hassan installed, and 2) The Samsung person he reached didn't know what he was talking about<p>I have no idea if this is really what happened, but consider:<p>Hassan says <i>After the initial set up of the laptop, I installed licensed commercial security software and then ran a full system scan before installing any other software.</i><p>This could simply be an embarrassing mistake, compounded by the ignorance of some call center person... I'm waiting for confirmation from others with Samsung systems.

I am skeptical this is true. Some phone tech support guy overseas is not official confirmation of official policy. I would like to see more widespread confirmation ('happened to me too!') before people start dumping on Samsung.<p>Also missing, evidence it was turned installed and running at bootup, evidence it was sending information anywhere. It should be fairly easy to use the laptop, connect to the internet, and see what data is sent to what server, owned by whom. THAT is evidence. These are just random unimportant files in some random directory until then.

I wonder where it stores all this logged information. Despite a lot of references to the Sony rootkit, the author doesn't specifically call this a rootkit other than to say it's "completely undetectable" (not really). There's also mention of traces of the program being found in c:\windows\SL, which means its not very well hidden. More information is required.

However, a scan result does not mean much, a full proof would be if he found the keystrokes actually logged in some file and/or being sent to somewhere.<p>Btw, I am typing this from a Samsung R510 laptop. Fortunetaly I don't use crappy windows. I run Gentoo Linux.

It's a disappointing cliff-hanger ending. Without more information it's impossible to say whether this is just some malware accident or a deliberate policy by Samsung. I'm inclined to think that the former situation is more likely.

I own a HP laptop which recently had its mother board replaced. The machine came with an OEM installation of MS Windows Vista - I didn't reinstall / remove but I did lock out and changed the password for the 'Administrator' account. To my surprise when the laptop came back from repair (official HP on warranty repair) the Administrator account was unlocked and the recent activity on that account indicated that video files were being run recently from it.<p>I assume that they must have a way to unlock the account I just hope it's not a full time remote control like mentioned in this article. You can be sure of one thing - I will never buy from HP again.

The second part is more interesting, but it doesn't give any indication as to whether the keylogger was installed on a small number of internal test machines which then accidentally escaped into consumerland, or whether this is a more widespread practice. If it is widespread then Samsung are really entering a world of pain in terms of lawsuits.

Is there not a hole in this argument? Why wouldn't he first question the store at which he bought both of these Samsung laptops? This isn't solid evidence that the source of the keylogger is from the hardware manufacturer and is borderline defamation.

One user reporting an incident does not a story make. Lazy journalism.<p>Also: a possible publicity attack from someone who has just started up a security consultancy... But this could rebound on him due to his EXTREMELY sloppy work and total lack of forensic skill.

Could be any number of reasons for this. The store may have messed up and had its computers infected by a virus. Or Samsung itself. Or user error, like other people pointed out already.<p>What I would be interested to know is if the logger actually phones home, and if so, to where. That would give fairly conclusive proof if Samsung did it or someone else. If it's just logging stuff locally then what's the point? Maybe Samsung (if Samsung is indeed the culrpit) could claim it's for tech support reasons?

If it's true I wonder if Samsung actually does that deliberately or were their production systems hit by some malware.

If you think logically, why they would even do that? What can they get out of logged data. Can you give me the answer?<p>I think you are exaggerating this thing too much.

This in no way compares to the Sony Rootkit fiasco. Even if the keylogger is still there I'll hardly doubt that Samsung installed it on purpose.

I am trying to find "Mohamed Hassan" on Internet. Now there is a doubt in my mind that he is even a real person?

Does this mean a Samsung exec will get some jail time just like the Utah University student who did the same thing and changed his grades?<p><a href="http://findarticles.com/p/articles/mi_qn4188/is_20070107/ai_n17107665/" rel="nofollow">http://findarticles.com/p/articles/mi_qn4188/is_20070107/ai_...</a>

Well, if this turns out to be true, no more Samsung in my family.

It sucks when companies start to impose crapware on consumers and defend it as useful.