In 2005, Sony BMG faced a firestorm of consumer outrage, lawsuits, and government investigations when it was revealed that the company had released music CDs containing rootkit software that would install on a Windows  PC when the CD was loaded. A rootkit is a set of clandestine software programs that can interfere with an operating system and potentially open security holes.
After facing class-action suits in several states, as well as action from state attorneys general and the Federal Trade Commission, Sony in January 2007 announced a recall of more than 50 albums that contained rootkits and a settlement with the FTC by which Sony agreed to pay consumers $150 to repair damage to their computers. In announcing the settlement, FTC Chair Deborah Platt Majoras said, "Installations of secret software that create security risks are intrusive and unlawful."
On Tuesday, Finnish security company F-Secure announced that another Sony product -- this one from Sony Electronics -- also contains rootkit software. The Sony MicroVault USM-F memory stick includes software that acts like a rootkit, hiding itself from the operating system, F-Secure said.
Vulnerable to Malware
The fingerprint reader software included with the product hides itself from Windows, as well as from some antivirus scanners, making it "possible for malware to use the hidden directory as a hiding place," F-Secure said. The company said the latest versions of MicroVault software also contain the hiding functionality.
"It is our belief that the MicroVault software hides this folder to somehow protect the fingerprint authentication from tampering and bypass," F-Secure said. Conceding that fingerprint ID software would require some secure authentication scheme, the firm said, "rootkit-like cloaking techniques are not the right way to go here."
Andrew Storms, a security analyst with nCircle in San Francisco, said that Sony "more than likely" used the hidden directory to secure the operations of the fingerprint reader on the memory card. "The threat to the consumer is that it may also be used by enterprising malware authors," he said. "The hidden directory is now a known quantity. Virus authors can instruct their code to first try this hidden directory as resting place for their malware, which subsequently will become undetectable to antivirus software."
Product No Longer Sold
CNET reported that a Sony spokesperson said the fingerprint reader product is no longer for sale and no other versions of the MicroVault stick contain the rootkit.
That's good news, said Storms, adding "we can bet that the antivirus vendors will be adding this hidden directory to their known list of items to check." Because Sony appears to have used the hidden directory technique only on the fingerprint reader product, it should have limited impact.
"In the larger view of potential target landscapes worth attacking, this is probably not a large threat to consumers or enterprises at the moment." Storms said. The story is a reminder, however, for enterprises to keep antispyware and antivirus software updated, he concluded.
|
