Samsung Keyloggergate

The internets have been awash this week with the tale of Mohamed Hassan, a security researcher and founder of NetSec Consulting, who allegedly found keylogging software on two different new Samsung laptops.Keylogging software is used to remotely monitor activity on computers, and this particular version can also do screengrabs.

According to Mr Hassan (writing a guest post in NetworkWorld), he was setting up his newly purchased R525 Samsung laptop in February 2011, when he noticed his scan detected a commercial keylogger called StarLogger.

Mr Hussan says he cleaned the laptop after reaching the conclusion that it was installed by the manufacturer, and used the machine for a short period until it developed a fault, upon which he returned it to the store and exchanged it for a higher grade model.

While setting up the new machine, Mr Hussan reports his routine scan again found StarLogger software. He then apparently called Samsung Support on 1st March, who initially denied the presence of the software on the machine.

However, Mr Hussan reports that he eventually spoke with a supervisor who apparently said that Samsung knowingly put the software on the machines to

“monitor the performance of the machine and to find out how it is being used”.

Mr Hussan ends his piece by saying:

“Samsung’s conduct may be illegal; even if it is eventually ruled legal by the courts, the issue has legal, ethical, and privacy implications for both the businesses and individuals who may purchase and use Samsung laptops. Samsung could also be liable should the vast amount of information collected through StarLogger fall into the wrong hands”.

However, Samsung seemingly issued a statement yesterday, refuting that their laptops are shipped with a keylogger installed, and blaming the result on Mr Hussan’s software:

“The statements that Samsung installs keylogger on R525 and R540 laptop computers are false. Our findings indicate that the person mentioned in the article used a security program called VIPRE that mistook a folder created by Microsoft’s Live Application for a key logging software, during a virus scan.”

I don’t know if it is just me, but this story is causing my bullshit detector cynical side to go into overdrive.

Why would a security consultant continue to use a machine upon which he had found keylogger software?

I’m no tech expert (I can even break a Mac, I’m that speshul), but this chap is obviously an extremely bright expert in his field, looking at his LinkedIn profile. Why then did he not know that VIPRE could bring up false positives and mistake files?

Why would a member of Samsung staff confirm they do put such software on their machines? In fact, would a member of call centre staff know that, and know the alleged reason why?

Why is the denial posted on SamsungTomorrow, which is largely written in Korean, and not one on the English language sites? Is SamsungTomorrow even an official Samsung site? The Whois log is a touch unusual for a commercial site.

Since I started writing this piece there have been further developments. GIF, who make the VIRPE software, have issued an apology and said this was all their fault.

And finally, Samsung, in a different release to that above, have said they are investigating the matter. Why they are continuing to investigate after the makers of the software have come out and said mea culpa is anyone’s guess.

Two things are still bugging me. Was there a call to Samsung support and did a member of staff confirm the use of this software? And, if this is a false positive result, how come someone as eminently qualified as this chap didn’t pick that up before making what are pretty heavy accusations?