It appears that Sony could have another rootkit scandal on its hands if a recent report from Finnish security firm F-Secure proves true.
The problem concerns a hidden directory contained in software for Sony’s MicroVault USM-F thumb drive. The files, according to F-Secure, could be accessed by hackers and used to install other hidden files on an unwary user’s computer.
Blast From the Past
The report bears a resemblance to the Sony BMG rootkit debacle uncovered in December 2005. Researchers in that case discovered that Sony BMG CDs in the U.S. contained copyright protection software that installed hidden files, known as rootkits, onto users’ computers when they attempted to play the music on PCs or rip the tunes to their hard disks.
The rootkits were meant forestall CD owners from illegally copying music from the discs. CDs from more than 50 of Sony’s artists, including Ray Charles, Frank Sinatra and Celine Dion, contained the digital rights management (DRM) software.
Sony’s intent — to prevent pirates from making and distributing unauthorized copies of its CDs — may have been legitimate; however, the hidden components in its DRM software were installed without consumers’ knowledge and left their computers vulnerable to attacks from the wares of cyber criminals, such as Trojans that used the code to escape detection by Internet security programs. In response, the Federal Trade Commission (FTC) ruled Sony had acted improperly and illegally by surreptitiously including the rootkits on the CDs
The scandal cost Sony between US$4 million and $6 million to settle. In at least 15 class action lawsuits filed in several U.S. states, consumers who purchased the CDs, as well as those whose computers were harmed by the software, demanded reimbursements. Under the settlement agreement, Sony was also prohibited from using any similar DRM technologies in the future.
Something Old and New
The software included with the MicroVault USB stick, according to F-Secure, installs a driver that hides a directory under “c:windows.” The files contained in the directory are not visible through the Windows application programming interface unless users already know the name of the directory.
However, an enterprising individual can find ways to run files from this directory. This poses a danger to computer users, as the files contained in the directory cannot be detected by some antivirus programs, depending on the techniques employed by the antivirus software. That is good news for the criminals and bad news for MicroVault owners.
“It is therefore technically possible for malware to use the hidden directory as a hiding place,” F-Secure reported.
This time around, researchers said they believe the directory has been cloaked to maintain a secure authentication and avoid detection from those who would try to meddle with or circumnavigate the software’s thumb print protections.
“It is our belief that the MicroVault software hides this folder to somehow protect the fingerprint authentication from tampering and bypass,” F-Secure said. “However, we feel that rootkit-like cloaking techniques are not the right way to go here.”
F-Secure contacted Sony regarding the company’s concerns, it said, but decided to go public after the electronics maker failed to respond.
Sony is “still receiving information in this and should have more details shortly,” Sony spokesperson Tom Di Nome told TechNewsWorld.
“This product was discontinued last year,” he continued, “and was the only version of the MicroVault that had the fingerprint-reader feature.”
No Rush to Judgment
Further data may be necessary before directly equating F-Secure’s report with Sony BMG’s 2005 fiasco.
“I’d like to see a little more information on this issue, including corroboration by another researcher before I form definitive conclusions,” Andrew Jaquith, a Yankee Group analyst, told TechNewsWorld. “That said, if the Sony product does indeed hide files the way F-Secure describes, it could be a problem for Sony.”
This does seem different than the rootkit scandal, in which Sony was installing software onto the machine, Natalie Lambert, an analyst at Forrester Research, told TechNewsWorld, However, she pointed out, Sony needs to make some sort of statement.
“That does not seem to be the case here,” she said. “With that said, at the point at which this story became public, Sony should have made a comment. Whether or not this story is accurate, there will be a perception that Sony is hiding this. And, in the eyes of public opinion, they will be guilty until proven innocent.”
Fortunately for Sony, consumers do not turn away from brands over these types of issues, Yankee Group’s Jaquith said.
“Generally speaking, consumers don’t abandon vendors over security issues unless they cause widespread harm or annoy their users. This issue doesn’t meet that test yet.
“Consumers are much more likely to shy away from a company like Sony because, say, their new ‘Casino Royale’ DVD won’t play on their DVD player because of copy protection software,” he continued.
“That happened to me,” he said. “I called Sony up, and they overnighted me a new DVD, and now it works fine. That said, it makes me less friendly towards Sony.”