A US government official has warned software distributors that a repeat of the Sony rootkit incident could lead to legislation.
"We need to think about how that situation could have been avoided in the first place," said Jonathan Frenkel, director of law enforcement policy with the Departmemt of Homeland Security (DHS)'s Border and Transportation Security Directorate. "Legislation or regulation may not be appropriate in all cases, but it may be warranted in some circumstances."
Last year, Sony began distributing XCP (Extended Copy Protection) software in some of its products. This digital rights management software, which used rootkit cloaking techniques normally employed by hackers, was later found to be a security risk, and Sony was forced to recall millions of its CDs.
The incident quickly turned into a public relations disaster for Sony. It also attracted the attention of DHS officials, who met with Sony a few weeks after news of the rootkit was first published, Frenkel said. "The message was certainly delivered in forceful terms that this was certainly not a useful thing," he said of the meeting.
While Sony's software was distributed without malicious intent, the DHS is worried that a similar situation could occur again, this time with more serious consequences. "It's a potential vulnerability that's of strong concern to the department," Frenkel said.
Though the DHS has no ability to implement the kind of regulation that Frenkel mentioned, the organisation is attempting to increase industry awareness of the rootkit problem, he said. "All we can do is, in essence, talk to them and embarrass them a little bit."
In fact, this is not the first time that the department has expressed concerns over the security of copy protection software. In November, DHS assistant secretary for policy Stewart Baker warned copyright holders to be careful of how they protected their music and DVDs. "In the pursuit of protection of intellectual property, it's important not to defeat or undermine the security measures that people need to adopt in these days," Baker said, according to a video posted to the Washington Post website.
Despite the Sony experience, the entertainment industry's use of rootkits appears to be an ongoing problem. Earlier this week security vendor F-Secure reported that it had discovered rootkit technology in the copy protection system of the German DVD release of American film star Angelina Jolie's movie "Mr. and Mrs. Smith."
Baker stopped short of mentioning Sony by name, but Frenkel did not. "The recent Sony experience shows us that we need to be thinking about how to ensure that consumers aren't surprised by what their software is programmed to do," he said.