USB stick cloaking trick may make PCs vulnerable

2019-02-27 03:16:05

By New Scientist staff and Reuters High-end Sony memory sticks carry software that could make computers vulnerable to hackers, say researchers from two internet security firms. Researchers with Finnish security software company F-Secure discovered that Sony’s Micro Vault – a USB memory stick that has a built-in fingerprint reader – includes software that creates a hidden directory on the computer’s hard drive. Creating “invisible” directories on a computer is a trick also employed by a type of hacking tool known as a “root kit”. F-Secure’s researchers say the USB stick’s file-hiding trick could also let hackers cover their tracks and hide malicious activity on a machine. “It is our belief that the Micro Vault software hides this folder to somehow protect the fingerprint authentication from tampering and bypass,” writes researcher Mika Stahlberg on the company’s blog. “It is obvious that user fingerprints cannot be in a world-writable [unprotected] file on the disk. However, we feel that rootkit-like cloaking techniques are not the right way to go.” Stahlberg says his team contacted Sony before going public with the information but received no reply from the company. In November 2005, researchers found that Sony used a similar file-cloaking technique to hide anti-piracy software on computers. The software was bundled on music CDs and the discovery sparked much controversy (see “Sony BMG sued over cloaking software on music CD”). Software and files buried in hidden drives are not only invisible on screen, they can also elude security software. On Tuesday, researchers with computer security company McAfee confirmed the vulnerability described by F-Secure. “The apparent intent was to cloak sensitive files related to the fingerprint verification feature included on the USB drives,” says McAfee spokesman Dave Marcus. “However, software creators apparently did not keep the security implications in mind. The application could be used to hide arbitrary software, including malicious software.” Sony spokesman Chisato Kitsukawa said he could not immediately comment on the situation. More on these topics: