back to article Sony bundles rootkit-like software on USB drive

A USB fingerprint authentication device from Sony contains rootkit-like technology, according to security watchers. The MicroVault USM-F fingerprint reader software bundled with the stick installs a hidden directory under Windows. "Files in this directory are also hidden from some antivirus scanners (as with the Sony BMG DRM …

COMMENTS

This topic is closed for new posts.
  1. Daniel Snowden

    Surprised?

    Is anyone actually surprised by this? All this proves is that a leopard doesn't change it's spots.

  2. Konstantinos

    Hmm..

    2k was added recently

    Sony skipped been added last time, she managed this time though.

    My blacklist has 1 more entry.

  3. Kenny Millar

    Consultants - con and insult

    This is what happens when a corporation like Sony hires consultants, rather than talking to the industry.

    Security through obscurity - which this is - is no security at all.

    They are pushing at us a security product, yet they are trying to hide from us the components of said product. Why should we trust our security to a company which itself cannot be trusted? If it COULD be trusted it would be using technologies which are open to scriutiny, not hidden by root kits.

  4. Jon Thompson

    Do these people...

    ... ever learn? More malware disguised as "copy-protection is simply malware. If it can be exploited, then it will be.

    It's the same with anything else that infects your system with crap like this - simply don't buy it. The only way that corporations will stop doing this is if their product doesn't sell, because all they're concerned about is the bottom line, and if a product doesn't make money, it'll be dropped, and the bosses will want to know why

  5. Ross Fleming

    Erm, the big deal?

    Probably missing the point. Yes it's not brilliant that Sony has taken this approach, but using a virus as an example of why it's bad doesn't seem to hold water to me. If the Sony installer can create this hidden-from-windows-shenanigans, surely any virus installer worth its salt can just do this by itself and not rely on the target already having a Sony rootkit installed?

  6. Anonymous Coward
    Anonymous Coward

    Makes you wonder......

    What fun can be had with a PS3..........

  7. Edward Pearson

    Define Stupidity

    Stupidity: Doing the same thing more than once and expecting differant results.

  8. Dam

    Sony chief tells customers: don't buy from us

    Fun how a few big companies manage to tell people "don't buy from us or you'll be stuffed" in much shorter terms than your usual EULA.

  9. Whitter

    Who pays the piper

    This may well impinge on Sony's legal suit vs. the developers of their previous CD rootkit. they claim the rookit there was not of their doing, but here we see it again, in a different product line from the same company.

  10. James O'Shea

    Sony hardware

    I'm currently looking for some new hardware for my main home machine, including a DVD burner. I'd been looking seriously at Sony kit. Now I have to wonder what's in the ROM on that hardware, and what's on the disc it ships with.

    Time to have a look at Taiwanese and Korean hardware, I guess.

  11. Anonymous Coward
    Anonymous Coward

    Don't forget

    Of course you need to remember this sort of thing... when my history teacher was trying to explain the purpose of teaching history she said "it's so we don't make the same mistakes in future". I didn't believe it then and it appears that sony don't believe it now.

    There are 2 issues here:

    1. Sony believe in 'security through obscurity'.

    2. There are ways that some antivirus products can be fooled.

    Obviously 2 is not Sony's fault - I blame micro$oft!

    As for number 1, they should learn that it doesn't work... in the same way as microsoft do everything possible to block access to the sam file vs linux where you can hack about with the /etc/shadow file as much as you like, provided you have the right permissions (or physical access). All you're doing in this case is encouraging hackers to work out ways to bypass it... if your security is good enough in the first place, hackers won't need to bypass your obscuring methods.

    Which brings me to my other point... if I remember correctly (I can't be bothered to check), the amongst the DRM scandal it was discovered that the malicious software used parts that were GPLd, without conforming to the rest of the GPL.

    tut tut

  12. A. Merkin

    Sorny vs Magnetbox

    Now I'm no Sony "fanboi", but Howard Stringer is a GOD! This hidden folder is a benefit to the consumer, plain and simple (not a "vulnerability" as the "experts" with their "technical knowlege" would claim).

    If I can't see it, it's not there. So how can it be a problem?

    I for one welcome Sony's innovative strategy to take over the ownership of my PC and manage it for me. I just hope it's Vister compatible.

  13. Charlie van Becelaere

    Stupidity?

    Edward Pearson posted -

    Stupidity: Doing the same thing more than once and expecting different results.

    I thought that was quantum mechanics.

  14. Anonymous Coward
    Anonymous Coward

    Sony?

    Who are they again?

    @Ross, yes a virus could do this on its own, but most people try and prevent that happening. Presumably, most Sony customers would not try and prevent this device from entering their system and leaving it open (or closed?). It would be easier to craft a virus that took advantage of a rookit, than one that installed a rootkit. Besides, as others have said it's security through obscurity (the old leave the key under the flowerpot).

    Who are they, again?

  15. Timothy Birch

    Learning Curve

    Hit head on wall - if head hurts then shake head and wonder why it hurts - loop to start of process and repeat.

    And these are the sorts of people we trust to write the software which we depend on? How long does it take for them to learn? Or maybe we are the ones who need to learn - maybe companies like Sony and M$ are right and the vast majority of people are idiots who will keep buying and believing everything the big companies tell them no matter how insane it is. Maybe those of us who understand are just too small a percentage for them to worry about and while we laugh at them, they are laughing at us and in the end they will continue to win no matter what stupid or even outrageous things they do. But I hope that people are not as stupid as these companies count on.

    Nobody could have guessed the Berlin Wall would come down when it did - took the world by surprise, and nobody could have guessed the collapse of the USSR - one day a super power with only one other country in the same league and the next day a bunch of independent countries scrambling for whatever pieces they could grab. ------ Well, to me, Sony is starting to look a lot like the Berlin Wall and M$ is looking like USSR - maybe tomorrow will find the kind of revolt that will end them both - and before you start to tell me why that could never happen, think about the impossible things that HAVE happened. M$ and Sony fall apart and loose their control of the market place? Impossible? Yep, just as impossible as the Soviet Union falling apart.

    Always try to do 3 impossible things before breakfast - so let’s get rid of the companies that treat us like we are stupid. No more Sony and M$ broken into many little independent Micro-companies that need to keep us happy to stay in business.

  16. Morely Dotes

    Proposed:

    In future, whenever a multinational corporation commits a heinous violation of customers' rights (to include, but not limited to, outright illegal acts such as installation of rootkits), it shall be called, "doing a Sony."

  17. Anonymous Coward
    Anonymous Coward

    This shouldn't be possible on any OS

    BTW Mr. Merkin, nice Simpsons references. You could always go with a Panaphonics. ha ha

    Anyway, doesn't it seem like the OS vendors should be making sure no files or folders can be made hidden like this? I mean, sure there is a "hidden" flag in the file system that allows files to be hidden from non-admin users, but as a local admin on my machine, I don't want any OS that can allow entire directories to dissapear but still be there. I realize that's what a rootkit does, but ok then let's make Windows stop being vulnerable to rootkits!

  18. Franklin

    Suppose you were an idiot...

    ...and suppose you were management at Sony. But I repeat myself.

  19. Anonymous Coward
    Anonymous Coward

    sony rootkits...

    "What fun can be had with a PS3"

    The ps3 and the xbox360 ships with a pre installed rootkit called a hypervisor. This is the default choice when someone really wants to lock out the user from its hardware. Microsoft's implementation was very good while sony's had a good hardware but it's software is patchy at least. (for clues just look at the gaps in the hypervisor call table around the gpu interface...) The fact that nobody has broken it can be attributed the fact that nobody cares about the ps3 as much as the xbox360. On the pc front the only 'safe' hardwares are apple macs but the drm is not really used or enforced. Since the rest of the world uses non trusted pc-s, microsoft had to rewrite it's own drm (aka anti user) code and this rewrite left the holes in it's protection system that we see as vista kernel and driver problems. Sony just tries to patch back the functionality that was promised by microsoft and they do it in a pretty stupid way.

  20. Danny Thompson

    Final nail in the ole coffin methinks ...

    I have steadily been going off Sony ever since I bought one of their MD players who's management software would only install on a manufacturer-installed version of Windows XP. FFS why? I build all of my own kit, so here I was with another piece of Sony carp that was all but useless unless I went out and bought a Dell or suchlike.

    Sony really do not have the beginnings of a clue. Their control-freakery has completely alienated me from their entire product line. I wouldn't even buy a TV off them now. Just as well I don't have to :)

  21. Brian

    Re Final nail...

    Re Final nail "I have steadily been going off Sony ever since I bought one of their MD players who's management software would only install on a manufacturer-installed version of Windows XP" U mean u couldn't install the software on your pirate copy of XP. There is no such thing as software that only installs on Dell branded XP. And all u guys moaning about root kit. The root kit was on sony cd albums for 6 MONTHS before anyone even noticed. Then a story appeared on the net about it and suddenly everyone was up in arms. Get a life guys. Do u really think fingerprint verification should be stored in a visible folder ??

  22. James Butler

    Am I missing it?

    What's the problem with using piffling old 128-bit encryption? What's the point of using a hidden directory for storing the validation program? Is it beyond Sony to simply scramble the crap out of the validation hash using the authentic user's own fingerprint whorls and ridges as the key? Should I be seeking a patent on that fairly obvious concept?

  23. Anonymous Coward
    Anonymous Coward

    Re: Final nail ... - what an odd argument

    > And all u guys moaning about root kit. The root kit was on sony cd albums for 6

    > MONTHS before anyone even noticed.

    And that makes it OK??

    So if I go out and plant say a hidden camera in your house, and no-one discovers it for 6 months, that wouldn't be too bad either? Use your brain, Brian.

    Within a week of the XCP rootkit hitting the press, there was malware in the wild that tried to use the rootkit to cloak its existence, and system administrators had no clue which machines were at risk.

    As for your fingerprint argument, you obviously think that obscurity offers real security. It doesn't. It is like arguing that one house is more secure than another identical house because it is harder to find.

    And I am more than happy for my fingerprint to be stored in a visible folder (I write software that interfaces with several fingerprint readers). None store your image, but store angles between minutiae, and rate how many angles on the current scan match the stored template. If you get a good score, you pass.

    Adam

  24. Brian

    Re: What an odd argument

    If I was creating malware I would hardly only target only people who use sony usb drives with finger print readers, that would be crazy. So what happens if someone deletes your visible folder ? I'll tell u what happens, the owner of the finger is screwed. Anyway as has been said, any virus writer could create a invisible folder, they don't need help from sony. Play your CD's on a decent HIFI, they will sound a lot better anyway.

  25. A J Stiles

    This should be it

    Can I be the only person in the world who thinks it's time we had a law which would deal with this sort of behaviour once and for all?

    I'm talking about MANDATING access to Source Code. If you use a piece of software, then that should give you an *automatic* right to inspect and modify (but not necessarily distribute) its Source Code. That ESPECIALLY includes drivers for hardware (otherwise, manufacturers can pull various nasty stunts; like refusing to release drivers for older hardware under newer OSs, effectively making it unusable, or making mendacious yet unverifiable claims in respect of its capabilities).

    Vendors may not like it, and will doubtless whinge; but they will just have to deal with it or get out of the market. As a tactic for preventing piracy, withholding Source Code from paying customers has been a spectacular failure. Most, if not all, malware is the direct result of "collateral damage" arising from this obnoxious practice. (Witness the turnaround time between initial discovery of a security flaw in an Open Source application and the availability of a patch -- often developed independently of the original author -- versus the patch turnaround time for Closed Source software.)

    Whatever you may think of the Open Source community, at least we aren't the ones who consistently piss on your chips and tell you it's vinegar.

  26. Entropy

    @ Everyone who seems to think that invisible = secure

    "So what happens if someone deletes your visible folder ? I'll tell u what happens, the owner of the finger is screwed. "

    A folder being visible does not mean that it can be deleted... And it being invisible (though I don't know how a folder can be kept hidden from the OS) does not mean that it cannot be.

    If there is proper permission settings such that only an admin has access to the folder that is enough security. If you can tamper with it then you've already gained admin access. I really don't see how being invisible from the OS adds any security. Of course it will prevent the regular user from noticing it, but it sure wouldn't stop an experienced hacker which is precisely what it claims to do.

  27. A. Merkin

    Tighter Security

    Sony would be a more rational company if it were split in two. Sony Hardware/SW is overprotective of Sony Media, with disasterous results.

    For better security, get two fingerprint readers and a voice recognition system...

    Hey Sony... ooVo "Ptbbbbbbtttt!"

  28. Anonymous Coward
    Anonymous Coward

    But Brian...

    You (sorry, u) are missing the point.

    These directories are impossible to see, even if you are an administrator and using all of the forensic tools available to you. Your antivirus software cannot even detect that they are there. So if a virus or keylogger could take advantage of a flaw in the Sony software to install itself into the hidden directory, it cannot be detected. You would be blissfully unaware that something was recording all your keystrokes and sending them home to daddy when you log on to internet banking or use amazon or whatever.

    As has been said, a better option would be encryption and access protection. It's easy enough to do and malware exploiting it would then be visible and the AV scanners can deal with it.

  29. Anonymous Coward
    Anonymous Coward

    And???

    You've got a corporation that has clearly shown that it has less respect for its users than it does for other corporations, by illegally installing malware onto users' machines.

    Two years later, you think they'll behave any differently? Why would they? They got their little fingers burned the last time, true. A human might have reconsidered his evil ways and given up on that course, or at least tried to avoid another public spanking. A corporation, though, has no shame, no conscience, and apparently a short memory. Perhaps, though, they got a competent programmer to create this rootkit - someone who has experience in creating malware.

This topic is closed for new posts.