Yes folks, Sony has done it again! Here’s yet another “rootkit” scandal to add to their already poor security-related reputation. According to F-Secure, a well-known security corporation, certain models of USB keys sold by the electronic giant contain a hidden directory that could be used by villains to distribute malware.
The problem comes from the fingerprint-reader software contained within Microvault USM-F USB keys. When a user connects the device in a USB port, the biometric driver automatically creates a hidden directory named “c:indows” (no, that’s not a typo). Since this directory is not directly accessible and does not use the standard Windows naming convention, AV software cannot access it, allowing cybercrooks to hide dangerous code and applications within it.
According to F-Secure:
It is our belief that the MicroVault software hides this folder to somehow protect the fingerprint authentication from tampering and bypass. It is obvious that user fingerprints cannot be in a world writable file on the disk when we are talking about secure authentication. However, we feel that rootkit-like cloaking techniques are not the right way to go here. As with the Sony BMG case we, of course, contacted Sony before we decided to go public with the case. However, this time we received no reply from them.
Since the Sony rootkit fiasco occurred in late 2005, I’ve never purchased a Sony product again. You may think I’m over-reacting to the situation, but I think companies have a responsibility toward the security of their customers, and clearly, Sony is not taking that responsibility very seriously.
(N.B.: Contributor Brian Boyko feels the same way not just about Sony’s security policies but also about Sony’s habit of making only Sony-brand accessories compatible with Sony-brand products. The fact that Sony cameras only accepted Sony microphones was one of the reasons that he decided to drop $1000 on a Canon HV20 instead of a similar Sony videocamera.)
Double Whammy! Another Sony Case (F-Secure.com)