Sony halts production of rootkit USB sticks

Sony has ceased production of three Microvault USB memory key models that pose a potential security risk to Windows computers, a company spokesperson told vnunet.com.

The spokesperson said that the electronics manufacturer stopped shipments of the product earlier this month. Rather than citing security concerns, however, the company phased out the product line because of "modest sales".

Sony said that it is currently investigating the security issues. Pending the investigation, it is unable to say whether it plans to issue a recall.

The three discontinued models are the USM-128C, USM-256F and USM-512FL, each of which has an embedded fingerprint reader.

Sony could not verify the number of devices that have been distributed, but said that a "limited" number had been sold worldwide over the past few years.

Security vendor F-Secure warned earlier this week that malware writers could abuse a feature of the software that shipped with the device to hide malicious applications from the user and security software.

The software, developed by Taiwan's FineArt Technology, operates in a way that resembles a rootkit.

In combination with the FineArt software, the fingerprint reader controls access to the data stored on the device.

The software stores information about authorised fingerprints in a way that is invisible to the end user as well as to some antivirus software.

Although this helps in safeguarding the integrity of the fingerprint data, the folder could also provide a hiding place to viruses and other malware.

A different division of Sony was caught in a rootkit scandal two years ago. Record label Sony BMG put rootkit technology on some of its music CDs at the time in an effort to prevent illegal file sharing.

F-Secure, together with software developer Mark Russinovich, outed the label for using the technology. Sony initially denied that it posed any security concerns, but was proved wrong when malware started exploiting the rootkit functionality.

The scandal led to a government investigation and several lawsuits, the majority of which have since been settled.

• Update note: This story was updated on Friday 31 August at 4:22pm PST after Sony provided additional information on the timing of, and the reason for, the discontinuation of the three Microvault products.
  
  The original story stated that Sony was unable to clarify when production was halted or whether the decision had any relation to the security concerns.