Sony rootkit may lead to regulation

A U.S. Department of Homeland Security (DHS) official warned Thursday that if software distributors continue to sell products with dangerous rootkit software, as Sony BMG Music Entertainment recently did, legislation or regulation could follow.

"We need to think about how that situation could have been avoided in the first place," said Jonathan Frenkel, director of law enforcement policy with the DHS's Border and Transportation Security Directorate, who was speaking at the RSA Conference 2006 in San Jose, California. "Legislation or regulation may not be appropriate in all cases, but it may be warranted in some circumstances."

Last year, Sony began distributing XCP (Extended Copy Protection) software in some of its products. This digital rights management software, which used rootkit cloaking techniques normally employed by hackers, was later found to be a security risk, and Sony was forced to recall millions of its CDs.

The incident quickly turned into a public relations disaster for Sony. It also attracted the attention of DHS officials, who met with Sony a few weeks after news of the rootkit was first published, Frenkel said. "The message was certainly delivered in forceful terms that this was certainly not a useful thing," he said of the meeting.

While Sony's software was distributed without malicious intent, the DHS is worried that a similar situation could occur again, this time with more serious consequences. "It's a potential vulnerability that's of strong concern to the department," Frenkel said.

Though the DHS has no ability to implement the kind of regulation that Frenkel mentioned, the organization is attempting to increase industry awareness of the rootkit problem, he said. "All we can do is, in essence, talk to them and embarrass them a little bit."

In fact, this is not the first time that the department has expressed concerns over the security of copy protection software. In November, DHS assistant secretary for policy Stewart Baker warned copyright holders to be careful of how they protected their music and DVDs. "In the pursuit of protection of intellectual property, it's important not to defeat or undermine the security measures that people need to adopt in these days," Baker said, according to a video posted to the Washington Post Web site.

Despite the Sony experience, the entertainment industry's use of rootkits appears to be an ongoing problem. Earlier this week security vendor F-Secure reported that it had discovered rootkit technology in the copy protection system of the German DVD release of American film star Angelina Jolie's movie "Mr. and Mrs. Smith." That DVD is distributed in Germany by Kinowelt GmbH, according to the Internet Movie Database.

Baker stopped short of mentioning Sony by name, but Frenkel did not. "The recent Sony experience shows us that we need to be thinking about how to ensure that consumers aren't surprised by what their software is programmed to do," he said.

Sony BMG officials could not immediately be reached for comment Thursday.