Since HP Touchpoint Analytics was introduced to users in 2017, it has been a hotrod for controversy. In 2017 HP said the feature “anonymously collects diagnostic information about hardware performance. No data is shared with HP unless access is expressly granted. Customers can opt-out or uninstall the service at any time.”
But users have continued to fill forums with complaints about it, ranging from questions about security to claims that it slowed down their computers.
Now the feature is embroiled in another minor controversy after security researchers at SafeBreach said they uncovered a new vulnerability. HP Touchpoint Analytics comes preinstalled on many HP devices that run Windows. Every version below 126.96.36.19927 is affected by what SafeBreach found.
In a blog post, SafeBreach Labs security researcher Peleg Hadar said that because the service is executed as “NT AUTHORITYSYSTEM,” it is afforded extremely powerful permissions that give it wide access.
“The CVE-2019-6333 vulnerability gives attackers the ability to load and execute malicious payloads using a signed service. This ability might be abused by an attacker for different purposes such as execution and evasion, for example: Application Whitelisting Bypass Signature Validation Bypassing,” Hadar wrote.
“The components which allow HP Touchpoint Analytics to access sensitive, low-level hardware (such as physical memory, MSRs and SMBios) are provided by an open source hardware monitoring library which is called ‘Open Hardware Monitor’.”
SEE: Special report: A winning strategy for cybersecurity (free PDF) (TechRepublic Premium)
The SafeBreach report explained that the security flaw was found within HP Touchpoint Analytics’ open-source software program and demonstrated how it could potentially be used by cybercriminals to get privilege escalation and persistence by loading an arbitrary unsigned DLL into a service that runs as SYSTEM.
Lindsey O’Donnell at Threatpost explained that “the affected software, Open Hardware Monitor, monitors temperature sensors, fan speeds, voltages, load and clock speeds of a computer. It is utilized by tens of millions of computers and is a key third-party component of HP Touchpoint Analytics.”
At the end of the report on the problem, Hadar notes that SafeBreach notified HP of the vulnerability on July 4, 2019 and went through a lengthy back and forth that lasted four months. HP only released a security bulletin on the problem earlier this month on October 4.
“HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin.HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action,” HP said in the notice.
“HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user’s use or disregard of the information provided in this Bulletin.To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement.”
The company has long had to defend HP Touchpoint Analytics against critics who say it gives HP unnecessary access to users’ systems. When it first became widely noticed in 2017, dozens of users complained that they had not consented to adding the system.
“I found HP Touchpoint Manager unexpectedly deployed on my PC earlier this week (16/11) – obviously without my consent. I understand that it hoovers all sorts of telemetry data – and I am not willing to share too much of it really, definitely not without my knowledge,” one user wrote in November 2017.
At the time, HP was forced to release a statement saying the service was offered since 2014 as part of HP Support Assistant.” They reiterated that HP did not collect any data without being “expressly granted,” something users still dispute.
“HP Touchpoint Analytics was recently updated and there were no changes to privacy settings as part of this update. We take customer privacy very seriously and act in accordance with a strict policy, available here,” the company statement said in 2017.