Energizer Introduces USB Battery Charger With Bonus Rootkit Feature [Update]
from the keeps-going-and-going-and-going dept
Update: As lots of folks are pointing out in the comments, this appears to have been included by some third party or disgruntled employee or something, rather than Energizer itself. Energizer has recalled the products and is investigating. Apologies for suggesting that this may have been intentional on Energizer’s part. The original post follows: Someone, who prefers to remain anonymous, alerts us to the news that Symantec has discovered that a USB battery charger from Energizer installs a dangerous rootkit after installing the required driver. You would think that legit companies would know better than to install a secret rootkit after the Sony rootkit fiasco from a few years back. This particular rootkit constantly listens for commands that could allow a computer to secretly execute files or even send computer files to a remote computer. Not exactly the kind of stuff you want installed on your computer. The Energizer Bunny might keep going and going and going, but there are some things it’s not supposed to do…
Filed Under: rootkit, security, usb battery charger
Companies: energizer
Comments on “Energizer Introduces USB Battery Charger With Bonus Rootkit Feature [Update]”
The fun part
Is that you don’t need the proper drivers to draw energy from a usb port.
Re: The fun part
Correct! Man, people are just such suckers.
Re: Re: Who Owns Your Computer?
…you don’t need the proper drivers to draw energy from a usb port.
As a long time Linux user, I’ve never used the software that comes with USB devices – camera, printer, MP3 player.
I was amused to find that every one of these applications, when properly installed on Windows machines, finds some way to spam the user. In the case of Kodak, it sends every picture the user emails wrapped in a big advertisement for Kodak products.
Nice…
Re: Re: Re: Who Owns Your Computer?
Is this true? I’ve used the Kodak EasyShare software myself in the past. I haven’t noticed this though.
Re: The fun part
PEOPLE:
SANDBOXIE.COM
CHECK IT BEFORE YOU WRECK IT.
ROOTKIT SHMOOTKIT.
CBMHB
Re: Re: The fun part
That’s all well and good if you have a 32bit system, but those of us with 64bit systems are SOL in that regard…
I think it’s a case of the installer being infected, rather than intentionally put there by the company. It’s not that Energizer wants to use their charger software to control your computer, it’s that they’re completely incompetent and got infected in production. “Never attribute to malice that which can be adequately explained by stupidity.”
More interesting, is the malevolent DLL (Arucer.dll) is almost an anagram of “Duracell”
Re: Re:
The devices themselves aren’t infected. This infection is in the driver package that you can (could?) download from the website. From the article:
“We also saw from the manufacturer’s website that the software is not distributed with the physical USB charger itself and instead it must be downloaded separately from the site”
Re: Re:
It is an anagram of Duracell®
I wonder if this battery has a hidden camera that can be remotely activated?
now think about rsa power cracking
hrmmmm
why?
i mean, WHY?
What the fuck is the point in this? are companies full of damned idiots?
Re: Re:
@senhikaze – why yes, yes they are.
@senshikaze
“What the fuck is the point in this? are companies full of damned idiots?”
The short answer? Yes.
Re: "full of idiots?"
Yeah, gotta agree with you there.
Certainly there are a few bright, reliable, well-intentioned talented individuals who do good work repeatedly; but they are a definite minority.
Ugh. The Techdirt decline continues.
Ok, I can deal with the constant breathless outrage over the stupid things media companies do. And I can deal with the sometimes over-clever hindsightical analysis of PR blunders that lawyers and companies make.
But this? Really? A quality control and PR disaster for Energizer, sure. A lesson in the dangers of outsourcing software development? Sure.
But an intentionally nefarious move designed to mess with consumers? A comparison to the Sony debacle? Really?
That’s just flat out dishonest, Mike. Either produce some evidence that it was intentional, which nobody but you has suggested, or take a deep breath and consider the possibility that not every corporate mistake is with malicious intent.
Re: Ugh. The Techdirt decline continues.
Please explain. You said:
“But an intentionally nefarious move designed to mess with consumers?”
The article you’re responding to says (backed up by the linked article):
“This particular rootkit constantly listens for commands that could allow a computer to secretly execute files or even send computer files to a remote computer.”
How in blue f*ck is it not intentionally nefarious? What other possible reason could there be for remote command execution capability in a driver for a device that does not actively need to interact with the computer?
Re: Re: Ugh. The Techdirt decline continues.
The “intentionally nefarious” refers to Energizer’s intentions. It doesn’t seem likely that they slipped the trojan dll into the package. Sure, they’re responsible, since they are distributing it, but there is a difference between negligence and “intentionally nefarious”.
Re: Re: Re: Ugh. The Techdirt decline continues.
Sure, they’re responsible, since they are distributing it, but there is a difference between negligence and “intentionally nefarious”.
Not from the perspective of the CONSUMER. To the consumer, who got this thing FROM Energizer, whether it was “intentional” or not is irrelevant. Its got a rootkit, it comes from Energizer itself, therefore its nefarious/unwanted/unneeded/bad. We can argue about how this happened, but its still Energizers FAULT from the point of view of the consumer.
Period.
Full stop.
End of line.
QED.
Re: Re: Re:2 Ugh. The Techdirt decline continues.
Nobody but you is talking about FAULT. This entire post (read it again) is about intent, and Mike ascribes intentionality (“you would think legit companies would have learned”) where there is only negligence and clumsiness. It’s sloppy thinking at best, and more than a little dishonest.
Re: Re: Re:3 Ugh. The Techdirt decline continues.
The problem is that then any action done by any corporation can be deemed “sloppy behavior” by employees and not the corporation itself. How do we determine the difference?
Re: Re: Re:4 Ugh. The Techdirt decline continues.
Where do we draw the line between, “it’s the employees” vs “it’s the corporation itself.” Isn’t the corporation composed of employees? I understand that sometimes employees do wrong things and that one shouldn’t always directly criminalize top management for the actions of employees (and it’s even worse to criminalize Google executives for the actions of their users), provided that management took reasonable steps to ensure malicious behavior isn’t a problem and didn’t contribute or encourage such behavior, but where do we draw the line between the corporation and its members? When the stock holders do something wrong? When the CEO? The CFO? When 5 percent of the corporation makes act maliciously towards their customers? 10 percent? Where exactly?
Re: Re: Ugh. The Techdirt decline continues.
As others have noted, while Energizer shipped the software, nobody thinks for a second that the inclusion of the rootkit was intentional or corporate policy. That’s in contrast to Sony and other DRM abuse cases which were clearly designed and implemented as policy.
The *rootkit* is malicious, of course. Energizer, as a company, was the victim of a sloppy or malicious contractor as well as their own negligence. Surely you can see the distinction there?
Re: Ugh. The Techdirt decline continues.
Is accidental release of a rootkit that much better? I don’t enegizer as an innocent bystander whether the release was intentional or not! Don’t they have some sort of obligation (if not moral, then an interest in not losing customers) to make sure their products are safe to use?
Re: Re: Ugh. The Techdirt decline continues.
Finding malicious code isn’t as easy as many people would like to believe. If you’re building it yourself there are steps you can take (peer review, version control, etc) to minimize the chances of something slipping in, but this DLL was bought from someone else, which isn’t surprising considering that Energizer isn’t in the software business. And finding it afterwards is really hard — there’s a whole Industry built around doing just that. Energizer is responsible for alerting customers and removing the offending code (which they’ve done), but it’s hard to even fault them with negligence here.
Re: Ugh. The Techdirt decline continues.
“But an intentionally nefarious move designed to mess with consumers? A comparison to the Sony debacle? Really?”
Not the point of Mike’s post as i see it .
The point as stated in the source article:
“I certainly wouldn’t want my USB charger to download and execute files without my knowledge, or indeed send my files to a remote location.”
That is the big deal.
What evidence is there that this was intentional on the part of Energizer? I have seen none and the article linked doesn’t seem to assign blame.
I don’t think thats a “root kit” sounds more like a TROJAN to me. I’d at least like to think that a technology site at least knew how to classify their malicious software. This is old news btw.
Re: Re:
The exploit is a trojan, this story first appeared on /.
You don’t need the software to use the recharger. I don’t really know much other than that; for an “informed opinion” I would guess that it went down like this: Energizer is populated with pre-internet execs; some bright star in the R&D group said “Hey, why don’t pop out this usb recharger, it will cost almost nothing to develop, and we can include in all kinds of special projects, giveaways, promotions, etc.” The execs said “Sure, anything that promotes Energizer is good.” Then a sales man from a third party got involved with this “new project” from Energizer and said “Hey! We’d like to produce software for your new little dongle thingy there.” And the execs thought “USB == pc == software. We need software for this new product. Ok.” So the third part sniffed around E. Europe or Asia for anything they could quickly pack into the package because this particular dongle DOESN’T REQUIRE ANY. Doesn’t matter what the software does. All they needed to do was deilver “software” to Energizer to make a buck. This bundle was no doubt in my mind almost 100% profit for them. Energizer, not being a software company, probably gave the bundle little (if any) QA, and viola! Trojan delivery system.
Belkin - Bad
We had a Belkin UPS that went bad. The good news is that Belkin honored its warranty and replaced the unit. The BAD news, Belkin had modified the (new) UPS model so that you would have to use THEIR software instead of the regular windows power management software.
It took several hours of frustrating tweaking before I figured it out. Of course the UPS documentation never mentioned the little detail that the ability of the UPS to work directly with Windows was “disabled”.
I stumbled upon this the other day
I’ll probably never find the article again so you can chose to believe or disbelieve anything I say.
From what I read, the root kit wasn’t suppose to be there, it was a hack and was only on a select few of the chargers. They have recalled the affected lots and will be replacing them with working ones. This was from a representative of Energizer, so I doubt it’s the full truth, if any at all.
So is this from one of those useless software CD that comes in the package. Never ever, ever install any software from a hardware product! never!
To be clear, the article makes no assertion that was a rootkit. It calls it what it is,a Trojan. Rootkit’s and Trojans are very different, as everyone here should know by now.
Mike are you reading???…..
Not to say Energizer isn’t a cluster fuck of company, for letting this out. But shit happens….
Not intentional
This appears to be the work of a rogue employee somewhere along the parts chain. Energizer is recalling the devices and claims to have had no idea about problem.
http://phx.corporate-ir.net/phoenix.zhtml?c=124138&p=irol-newsArticle&ID=1399675&highlight=
http://consumerist.com/2010/03/energizer-duo-exploit.html
Sorry guys, you can't get one as a gift for your boss. It's discontinued :-(
Energizer discontinued the device earlier this month. Still, it was introduced in 2007, and you have to think there may be a lot of vulnerable systems out there.
http://www.prnewswire.com/news-releases/energizer-announces-duo-charger-and-usb-charger-software-problem-86672072.html
I’m off to eBay…
Disappointed
I have to say I’m really disappointed in this post, Mike, mostly because of the reference to the Sony Rootkit. With Sony, they intentionally placed software on their CDs to enforce DRM, and then hid it with a rootkit. Sony was fully aware of what they did and fully intended the software to function as it did. In Energizer’s case, they’ve been the victim of a disgruntled or rogue employee (or a shady company, I’m not clear on that detail) and were unknowingly saddled with malicious code. Whether that code was “necessary” to run the device or not (it wasn’t) is a moot point, Energizer is essentially innocent here, and is responsible only for alerting their customers and removing the offending code, which they’ve done.
There was no malicious intention with Energizer, and missing that point (and in fact strongly implying otherwise) hurts your credibility.
Updated
Hey guys, added an update explaining that it was not Energizer’s official doing. Apologies for implying otherwise.
Re: Updated
…Now if we could get you to stop calling it a Rootkit just to create a catchy title and make the association with Sony.
It’s not a rootkit. Hell, the word “rootkit” doesn’t even appear on the page you linked to. It’s simply a Trojan.
Yes, there is a difference and it does matter. I guess it’s just not as easy to link Energizer with the Sony rootkit with an accurate title like “Energizer lets malware slip into its software”.
Re: Updated
Your article also implies that the USB device itself launches malware, which is incorrect. The software was not contained on the USB device, and is not necessary to use the product.
Also very misleading.
I looked at this device.
1. the program is supposed to tell you when the Batteries are charged.
2. Thats nothing, as its TIMED, not really a charge CONTROL program as you cant Vary the voltage or check tha battery.
3. GET A REAL SMART CHARGER, they are $30 at amazon from La Crosse Tech..
4. ANY of the chargers at the store are CRAP. They work on a timer for the charge. They cant even tell you if the battery is ALREADY charged.
Re: I looked at this device.
5. Don’t buy rechargeable batteries from Energizer. I have quite a few that won’t take a charge anymore. All my Eneloops still work perfectly.
The Symantec page mentioned that the name “Liu Hong” appeared several times in relation to the DLL; it’s possible that this is the name of the person who wrote it. Or the name of someone they don’t like.
Ultimate responsibility
Whether or not this was done purposely by Energizer, they are ultimately responsible for this fiasco, and should pay the price in cleanup of users’ computers that got infected with this kit, and provide some tangible benefit (free batteries) for causing their customers to become at risk of serious security breaches.
It’s them damn chinese, they have been hacking-cloning-and stealing technology since way back!!
Hi Mom (grins real big)