Sony BMG Rootkit Scandal: 10 Years Later

Object lessons from infamous 2005 Sony BMG rootkit security/privacy incident are many -- and Sony's still paying a price for its ham-handed DRM overreach today.

Sony BMG Rootkit Scandal: 10 Years Later

Members of the band Los Lonely Boys arrive at the Sony BMG Music Entertainment post-Grammy party in Hollywood, February 13, 2005.

Credit: REUTERS/Robert Galbraith
sony xcp banner Ben Edelman/Wikipedia

A warning pops up on computer screen about Sony BMG rootkit on music CD

Hackers really have had their way with Sony over the past year, taking down its Playstation Network last Christmas Day and creating an international incident by exposing confidential data from Sony Pictures Entertainment in response to The Interview comedy about a planned assassination on North Korea’s leader. Some say all this is karmic payback for what’s become known as a seminal moment in malware history: Sony BMG sneaking rootkits into music CDs 10 years ago in the name of digital rights management.

“In a sense, it was the first thing Sony did that made hackers love to hate them,” says Bruce Schneier, CTO for incident response platform provider Resilient Systems in Cambridge, Mass. 

Mikko Hypponen, chief research officer at F-Secure, the Helsinki-based security company that was an early critic of Sony’s actions, adds:

“Because of stunts like the music rootkit and suing Playstation jailbreakers and emulator makers, Sony is an easy company to hate for many. I guess one lesson here is that you really don't want to make yourself a target.

“When protecting its own data, copyrights, money, margins and power, Sony does a great job. Customer data? Not so great,” says Hypponen, whose company tried to get Sony BMG to address the rootkit problem before word of the invasive software went public. “So, better safe than Sony.”

SONY BMG ROOTKIT REVISITED

The Sony BMG scandal unfolded in late 2005 after the company (now Sony Music Entertainment) secretly installed Extended Copy Protection (XCP) and MediaMax CD-3 software on millions of music discs to keep buyers from burning copies of the CDs via their computers and to inform Sony BMG about what these customers were up to. The software, which proved undetectable by anti-virus and anti-spyware programs, opened the door for other malware to infiltrate Windows PCs unseen as well.  (As if the buyers of CDs featuring music from the likes of Celine Dion and Ricky Martin weren’t already being punished enough.)

The Sony rootkit became something of a cultural phenomenon. It wound up as a punch line in comic strips like Fox Trot, it became a custom T-shirt logo and even was the subject of class skits shared on YouTube. Mac fanboys and fangirls smirked on the sidelines.

MORE: A Short History of Sony Hacks

040915 bruce schneier Wikimedia Commons

“In a sense, [the rootkit] was the first thing Sony did that made hackers love to hate them,” says Bruce Schneier, Resilient Systems CTO.

Security researcher Dan Kaminsky estimated that the Sony rootkit made its mark on hundreds of thousands of networks in dozens of countries – so this wasn’t just a consumer issue, but an enterprise network one as well. 

Once Winternals security researcher Mark Russinovich -- who has risen to CTO for Microsoft Azure after Microsoft snapped up Winternals in 2006 -- exposed the rootkit on Halloween of 2005, all hell broke loose.

Sony BMG botched its initial response: "Most people don't even know what a rootkit

1 2 Page 1
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.