Sony is prepping an update to remove rootkit-like technology that shipped with a range of USB storage devices featuring fingerprint authentication.
The Sony MicroVault USM-F fingerprint reader software that comes bundled with the USB stick installs a hidden directory under Windows. Files in the directory might be hidden from some antivirus scanners, potentially creating a hiding place for malware that virus authors could seek to exploit.
The tactic, a misguided attempt to protect fingerprint authentication from tampering and bypass, was uncovered by net security firm F-Secure. Three Sony MicroVault USB stick models with fingerprint readers contain the software. They are no longer in production but are available still for purchase.
According to Sony, the blame lies with code supplied by a third-party developer from China. An update to resolve the problem is scheduled for release in mid-September.
The behaviour of the MicroVault software is similar to - but less easy to exploit than - that created by the notorious DRM technology that shipped on Sony CDs. The latter was a practical rootkit risk that was exploited by a number of Trojans.
In 2005 Sony BMG created a public-relations and legal nightmare when it emerged that digital rights management (DRM) software installed on some of its music CDs created a handy means for hackers to hide malware from anti-virus scanning programs. Under pressure, Sony recalled discs loaded with the technology and set up an exchange program for consumers. The music label still faces class action lawsuits by users who allege that their PCs have been damaged by the technology.
Throwaway comments made by Rick Rubin, a music producer and recently appointed co-head of Columbia Records, which is owned by Sony BMG, this week are likely to further inflame the controversy. He told the New York Times that the technology "recorded information about whoever bought the record", indicating that some kind of "spyware" also came with the cloaking technology introduced by Sony's DRM software. ®