Rootkit found in older Sony USB device

F-Secure says it discovered rootkit technology in Sony's Micro Vault USM-F fingerprint reader software. The find comes two years after controversy over Sony's DRM technology.

Nearly two years after Sony faced a storm of criticism for using a rootkit-like program in its digital rights management (DRM) technology, security researchers at F-Secure say they have discovered something similar in Sony's Micro Vault USM-F fingerprint reader software.

It is our belief that the MicroVault software hides this folder to somehow protect the fingerprint authentication from tampering and bypass.
Mika Stahlberg.

The latest example of rootkit use was found in software that's part of an older line of USB drives sold by Sony Electronics , according to Mika Stahlberg, a researcher for the Finland-based security firm.

In the F-Secure blog, Stahlberg wrote that the Sony Micro Vault USM-F fingerprint reader software that comes with the USB stick installs a driver that is hiding a directory under 'c:windows.' When enumerating files and subdirectories in the Windows directory, he said, the directory and files inside it are not visible through Windows API. If someone knows the name of the directory, it is possible to enter the hidden directory using a command prompt and it is possible to create new hidden files.

"It is our belief that the Micro Vault software hides this folder to somehow protect the fingerprint authentication from tampering and bypass," he said. "It is obvious that user fingerprints cannot be in a world writable file on the disk when we are talking about secure authentication. However, we feel that rootkit-like cloaking techniques are not the right way to go here."

He did note, however, that Micro Vault with fingerprint authentication appears to be an older product Sony may no longer be manufacturing. Nevertheless, Stahlberg said, F-Secure researchers did manage to find the product on sale.

Black Hat 2007: Rootkit hunters caught in cat-and-mouse game:
Is Joanna Rutkowska's infamous Blue Pill rootkit really undetectable? Researchers at Black Hat USA explain how to find it, but there's a catch: their method may not always work.

Rootkit dangers at an 'all-time high' The rootkit problem is not going away any time soon. In fact, it's likely to get much worse before it gets better, according to the members of a panel on the topic at RSA Conference 2007.

Sony settles DRM rootkit lawsuit for cash, 'clean' music: The entertainment giant agrees to give away millions of free music and stop using the prying software that got it into legal trouble.

F-Secure said it contacted Sony before going public with its latest discovery, but that Sony hasn't responded. Sony did not immediately respond to a request for comment from

Graham Cluley, senior technology consultant for UK-based security software company Sophos, said his organisation has been unable to locate one of the USB devices in question, and that they don't seem to be readily available in Australia and the UK. But he did find that they can be purchased online via such sources as He declined to comment on the specifics of F-Secure's findings, but he did express concern over the general practice of using hidden technology as Sony has in the past.

"Hopefully, this new rootkit is not going to be as widespread as when Sony shipped one on popular music CDs," Cluley said in an email exchange.

In late 2005, Sony BMG Music Entertainment  found itself at the center of a media firestorm when a researcher discovered the company was using a rootkit-based digital rights management (DRM) system to prevent CD copying.

Experts at the time worried that if more companies used the technology the way Sony has, hackers could hijack such rootkits and cause all kinds of trouble. Rootkits, tools or programs used to mask software or network intrusions, are typically used only by malicious hackers, they noted.



Enjoy the benefits of CW+ membership, learn more and join.

Read more on IT risk management



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:




  • Dissecting the Hack

    In this excerpt from chapter three of Dissecting the Hack: The V3RB0TEN Network, authors Jayson E. Street, Kristin Sims and Brian...

  • Digital Identity Management

    In this excerpt of Digital Identity Management, authors Maryline Laurent and Samia Bousefrane discuss principles of biometrics ...

  • Becoming a Global Chief Security Executive Officer

    In this excerpt of Becoming a Global Chief Security Executive Officer: A How to Guide for Next Generation Security Leaders, ...