Sony is prepping an update to remove rootkit-like technology that shipped with a range of USB storage devices featuring fingerprint authentication.

The Sony MicroVault USM-F fingerprint reader software that comes bundled with the USB stick installs a hidden directory under Windows. Files in the directory might be hidden from some antivirus scanners, potentially creating a hiding place for malware that virus authors could seek to exploit.

The tactic, a misguided attempt to protect fingerprint authentication from tampering and bypass, was uncovered by net security firm F-Secure. Three Sony MicroVault USB stick models with fingerprint readers contain the software. They are no longer in production but are available still for purchase.

According to Sony, the blame lies with code supplied by a third-party developer from China. An update to resolve the problem is scheduled for release in mid-September.

The behaviour of the MicroVault software is similar to - but less easy to exploit than - that created by the notorious DRM technology that shipped on Sony CDs. The latter was a practical rootkit risk that was exploited by a number of Trojans.

In 2005 Sony BMG created a public-relations and legal nightmare when it emerged that digital rights management (DRM) software installed on some of its music CDs created a handy means for hackers to hide malware from anti-virus scanning programs. Under pressure, Sony recalled discs loaded with the technology and set up an exchange program for consumers. The music label still faces class action lawsuits by users who allege that their PCs have been damaged by the technology.

Throwaway comments made by Rick Rubin, a music producer and recently appointed co-head of Columbia Records, which is owned by Sony BMG, this week are likely to further inflame the controversy. He told (http://www.nytimes.com/2007/09/02/magazine/02rubin.t.html?_r=1&ref=magazine&oref=slogin) the New York Times that the technology "recorded information about whoever bought the record", indicating that some kind of "spyware" also came with the cloaking technology introduced by Sony's DRM software. ®

Related stories

Open source release takes Linux rootkits mainstream (4 September 2008)
http://www.theregister.co.uk/2008/09/04/linux_rootkit_released/
Rootkits on routers threat to be demoed (15 May 2008)
http://www.theregister.co.uk/2008/05/15/router_rootkit/
Researchers dig into x86 chips for stealthier rootkits (12 May 2008)
http://www.theregister.co.uk/2008/05/12/smm_rootkits/
HP Proliant USB key riddled with worms (7 April 2008)
http://www.theregister.co.uk/2008/04/07/hp_proliant_usb_key_infection/
Adware slips between pages of e-book (31 March 2008)
http://www.theregister.co.uk/2008/03/31/iliad_adware/
Excuse me sir: there's a rootkit in your master boot record (9 January 2008)
http://www.theregister.co.uk/2008/01/09/mbr_rootkit/
Sears sued for website that leaked customer purchases (7 January 2008)
http://www.theregister.co.uk/2008/01/07/sears_privacy_classaction/
Nato secrets USB stick lost in Swedish library (4 January 2008)
http://www.theregister.co.uk/2008/01/04/another_stick_with_military_secrets_found/
Sony loses privacy complaint over Unfit Kids (12 September 2007)
http://www.theregister.co.uk/2007/09/12/unfit_kids_sony_ruling/
Rick Rubin: Right idea, Wrong Price? (6 September 2007)
http://www.theregister.co.uk/2007/09/06/rick_rubin_has_a_plan/
Sony bundles rootkit-like software on USB drive (29 August 2007)
http://www.theregister.co.uk/2007/08/29/sony_rootkit_controversy/
BioShockers delivered from DRM hell (24 August 2007)
http://www.theregister.co.uk/2007/08/24/draconian_bioshock_drm_eased/
Sony BMG sues DRM developer (16 July 2007)
http://www.theregister.co.uk/2007/07/16/sony_bmg_sues_amergence/
FTC spanks Sony BMG, porn operator (31 January 2007)
http://www.theregister.co.uk/2007/01/31/ftc_settlement/
Stealth techniques push malware under the radar (3 October 2006)
http://www.theregister.co.uk/2006/10/03/verisign_stealth_malware_report/
Homeland security urges DRM rootkit ban (17 February 2006)
http://www.theregister.co.uk/2006/02/17/rootkit/
Consumer group calls for anti-DRM laws (18 January 2006)
http://www.theregister.co.uk/2006/01/18/drm_consumer_opposition/
Gaffer tape defeats Sony DRM rootkit (21 November 2005)
http://www.theregister.co.uk/2005/11/21/gaffer_tape_trips_up_sony_drm/
Sony DRM uninstaller 'worse than rootkit' (17 November 2005)
http://www.theregister.co.uk/2005/11/17/sony_drm_uninstaller_peril/
First Trojan using Sony DRM spotted (10 November 2005)
http://www.theregister.co.uk/2005/11/10/sony_drm_trojan/