A line of Sony USB drives installs files in a hidden folder that can be accessed and used by hackers, Finnish security company F-Secure charged on Monday, raising the specter of a replay of the Rootkit fiasco that hit Sony BMG two years ago.
According to F-Secure, the fingerprint-reader software included with the Sony MicroVault USM-F line of flash drives installs a driver that hides in a hidden directory under "c:indows". That directory, and the files within it, are not visible through Windows' API, F-Secure said.
"It is our belief that the MicroVault software hides this folder to somehow protect the fingerprint authentication from tampering and bypass. It is obvious that user fingerprints cannot be in a world writable file on the disk when we are talking about secure authentication," F-Secure said. "However, we feel that rootkit-like cloaking techniques are not the right way to go here. As with the Sony BMG case we, of course, contacted Sony before we decided to go public with the case. However, this time we received no reply from them," the company concludes.
The fact that the hidden directory goes unspotted by some antivirus scanners makes the situation similar to the Sony BMG rootkit case in late 2005. Then, researchers spotted rootkit-like cloaking technologies used by the copy-protection software Sony BMG Music Entertainment installed on PCs when customers played the label's audio CDs.