Sony USB Fingerprint Readers Caught in Rootkitlike Action

 
 
By Lisa Vaas  |  Posted 2007-08-29 Email Print this article Print
 
 
 
 
 
 
 

F-Secure says three discontinued Sony Micro Vault fingerprint reader USB devices are acting like rootkits.

Sony appears to be reliving its rootkit nightmare of 2005, when it had to yank its XCP digital rights management technology after security experts said the technology used malicious rootkit techniques to evade detection on Windows systems. This time, three Sony USB fingerprint devices are planting hidden files for two separate rootkitlike programs, according to security vendor F-Secure, based in Helsinki, Finland. F-Secure reported on Aug. 29 that its DeepGuard HIPS (host-based intrusion prevention system) was warning about a USB stick software driver. According to a spokesperson for Sony, headquartered in Tokyo, the issue relates to three models in Sonys Micro Vault line, which offer fingerprint authentication technology. The models have recently been discontinued, the spokesperson said, and "no customers have reported problems to date," although Sony is still investigating the problem and is "taking the issue very seriously."
According to F-Secures blog posting, the USB devices in question contain a built-in fingerprint reader that installs a driver that hides a directory under c:\windows\. The directory and any files within are hidden when viewing files and subdirectories in the Windows directory.
In effect, the fingerprint softwares driver opens up a path for malware to sneak onto a system, according to F-Secure. "If you know the name of the directory, it is e.g. possible to enter the hidden directory using Command Prompt and it is possible to create new hidden files," wrote F-Secure Chief Research Officer Mikko Hypponen in the post. "There are also ways to run files from this directory. Files in this directory are also hidden from some anti-virus scanners (as with the Sony BMG DRM case)—depending on the techniques employed by the anti-virus software. It is therefore technically possible for malware to use the hidden directory as a hiding place." Click here to read more about security vulnerabilities involving USB drivers.
This rootkitlike behavior is "closely related to the Sony BMG case," Hypponen said. "First of all, it is another case where rootkitlike cloaking is ill-advisedly used in commercial software. Also, the [devices] we ordered are products of the same company—Sony Corporation." Beyond testing the software packaged with these devices, F-Secure also tested what Hypponen said is the latest software available from Sony at its Micro Vault site. This version contains the same directory-hiding characteristic, he said. The Sony spokesperson said the company is now investigating whether this version is current and whether it displays the hiding behavior. As for why the fingerprint technology would need to hide a folder in the first place, F-Secure conjectured that it might be to shield fingerprint authentication from tampering and bypass. "It is obvious that user fingerprints cannot be in a world-writable file on the disk when we are talking about secure authentication," Hypponen said. "However, we feel that rootkitlike cloaking techniques are not the right way to go here." F-Secure noted that although the devices in question are old, the security firm had managed to track them down and purchase them. Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
 
 
 
 
Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...

 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel