Sony USB Fingerprint Readers Caught in Rootkitlike Action

F-Secure says three discontinued Sony Micro Vault fingerprint reader USB devices are acting like rootkits.

Sony appears to be reliving its rootkit nightmare of 2005, when it had to yank its XCP digital rights management technology after security experts said the technology used malicious rootkit techniques to evade detection on Windows systems.

This time, three Sony USB fingerprint devices are planting hidden files for two separate rootkitlike programs, according to security vendor F-Secure, based in Helsinki, Finland. F-Secure reported on Aug. 29 that its DeepGuard HIPS (host-based intrusion prevention system) was warning about a USB stick software driver.

According to a spokesperson for Sony, headquartered in Tokyo, the issue relates to three models in Sonys Micro Vault line, which offer fingerprint authentication technology. The models have recently been discontinued, the spokesperson said, and "no customers have reported problems to date," although Sony is still investigating the problem and is "taking the issue very seriously."

According to F-Secures blog posting, the USB devices in question contain a built-in fingerprint reader that installs a driver that hides a directory under c:\windows\. The directory and any files within are hidden when viewing files and subdirectories in the Windows directory.

In effect, the fingerprint softwares driver opens up a path for malware to sneak onto a system, according to F-Secure.

"If you know the name of the directory, it is e.g. possible to enter the hidden directory using Command Prompt and it is possible to create new hidden files," wrote F-Secure Chief Research Officer Mikko Hypponen in the post. "There are also ways to run files from this directory. Files in this directory are also hidden from some anti-virus scanners (as with the Sony BMG DRM case)—depending on the techniques employed by the anti-virus software. It is therefore technically possible for malware to use the hidden directory as a hiding place."


Click here to read more about security vulnerabilities involving USB drivers.

This rootkitlike behavior is "closely related to the Sony BMG case," Hypponen said. "First of all, it is another case where rootkitlike cloaking is ill-advisedly used in commercial software. Also, the [devices] we ordered are products of the same company—Sony Corporation."

Beyond testing the software packaged with these devices, F-Secure also tested what Hypponen said is the latest software available from Sony at its Micro Vault site. This version contains the same directory-hiding characteristic, he said. The Sony spokesperson said the company is now investigating whether this version is current and whether it displays the hiding behavior.

As for why the fingerprint technology would need to hide a folder in the first place, F-Secure conjectured that it might be to shield fingerprint authentication from tampering and bypass.

"It is obvious that user fingerprints cannot be in a world-writable file on the disk when we are talking about secure authentication," Hypponen said. "However, we feel that rootkitlike cloaking techniques are not the right way to go here."

F-Secure noted that although the devices in question are old, the security firm had managed to track them down and purchase them.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.