Samsung Installed Stealth Keyloggers On Laptops

Samsung installed a commercial keylogger on brand-new laptops to monitor customer usage, the company admitted after a user exposed the practice in a security newsletter.

The keylogger was discovered by Mohamed Hassan on two Samsung laptops, the R525 and R540, according to his post on the Security Strategies Alert newsletter run by Mich Kabay, CTO of Adaptive Cyber Security Instruments. In a two-part series, Hassan described how he found the keyloggers and how Samsung denied installing them. the South Korean company later admitted the software was there to “monitor the performance of the machine and to find out how it is being used”, according to Hassan.

StarLogger Found In Two Independent Laptops

While setting up a new Samsung R525 laptop in early February, Hassan ran a full-system scan using an unnamed “licensed commercial security software” before installing anything else. The scan found two instances of a commercial keylogger, called StarLogger, installed within the Windows directory, he wrote.

StarLogger, from a company called de Willebois Consulting, can be downloaded from a number of sites for free. It claims to record every keystroke made on the computer, even on password-protected systems. Completely undetectable, the keylogger starts up when the computer starts up, and sees everything being typed, including email, documents and login credentials. The software periodically emails the collected data and screen captures to a defined email address.

Hassan determined that the software had been installed by Samsung and he cleaned off the software. Shortly after, he bought a Samsung R540 from a different store and found the same StarLogger program in the same location after running a full-system scan during the initial setup. This confirmed his suspicion that Samsung must know about the software on brand-new laptops, wrote Hassan.

“The findings are false-positive proof since I have used the tool that discovered it for six years now and I [have] yet to see it misidentify an item throughout the years,” Hassan wrote.

He called and logged the incident with Samsung Support on March 1. The company initially denied the presence of the keylogger, much “as Sony BMG did six years ago”, Hassan wrote, in reference to Sony’s installing a rootkit on its music CDs, in the autumn of 2005, to monitor computer-user behaviour and limit how the discs were copied. At the time, Mark Russinovich, the developer who found the Sony BMG rootkit, warned, “Consumers don’t have any kind of assurance that other companies are not going to do the same kind of thing [as Sony].”

“How right has Mr Russinovich been,” Hassan wrote.

Samsung tried to lay the blame on Microsoft since “all Samsung did was to manufacture the hardware”, according to Hassan. A support supervisor then confirmed that Samsung knowingly put this software on the laptop to “monitor the performance of the machine and to find out how it is being used”, Hassan discovered.

Samsung wanted to gather usage data without obtaining consent from laptop owners, Hassan concluded. He called it a “déjà vu security incident” and said there were legal, ethical and privacy implications for both businesses and individuals who may purchase and use Samsung laptops. The company could also be liable should the vast amount of information collected through StarLogger fall into the wrong hands, he speculated.

Samsung did not respond to requests for comment.