Energizer Introduces USB Battery Charger With Bonus Rootkit Feature [Update]

from the keeps-going-and-going-and-going dept

Update: As lots of folks are pointing out in the comments, this appears to have been included by some third party or disgruntled employee or something, rather than Energizer itself. Energizer has recalled the products and is investigating. Apologies for suggesting that this may have been intentional on Energizer’s part. The original post follows: Someone, who prefers to remain anonymous, alerts us to the news that Symantec has discovered that a USB battery charger from Energizer installs a dangerous rootkit after installing the required driver. You would think that legit companies would know better than to install a secret rootkit after the Sony rootkit fiasco from a few years back. This particular rootkit constantly listens for commands that could allow a computer to secretly execute files or even send computer files to a remote computer. Not exactly the kind of stuff you want installed on your computer. The Energizer Bunny might keep going and going and going, but there are some things it’s not supposed to do…

Filed Under: , ,
Companies: energizer

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Energizer Introduces USB Battery Charger With Bonus Rootkit Feature [Update]”

Subscribe: RSS Leave a comment
lavi d (profile) says:

Re: Re: Who Owns Your Computer?

…you don’t need the proper drivers to draw energy from a usb port.

As a long time Linux user, I’ve never used the software that comes with USB devices – camera, printer, MP3 player.

I was amused to find that every one of these applications, when properly installed on Windows machines, finds some way to spam the user. In the case of Kodak, it sends every picture the user emails wrapped in a big advertisement for Kodak products.


Anonymous Coward says:

I think it’s a case of the installer being infected, rather than intentionally put there by the company. It’s not that Energizer wants to use their charger software to control your computer, it’s that they’re completely incompetent and got infected in production. “Never attribute to malice that which can be adequately explained by stupidity.”

More interesting, is the malevolent DLL (Arucer.dll) is almost an anagram of “Duracell”

Brooks (profile) says:

Ugh. The Techdirt decline continues.

Ok, I can deal with the constant breathless outrage over the stupid things media companies do. And I can deal with the sometimes over-clever hindsightical analysis of PR blunders that lawyers and companies make.

But this? Really? A quality control and PR disaster for Energizer, sure. A lesson in the dangers of outsourcing software development? Sure.

But an intentionally nefarious move designed to mess with consumers? A comparison to the Sony debacle? Really?

That’s just flat out dishonest, Mike. Either produce some evidence that it was intentional, which nobody but you has suggested, or take a deep breath and consider the possibility that not every corporate mistake is with malicious intent.

PaulT (profile) says:

Re: Ugh. The Techdirt decline continues.

Please explain. You said:

“But an intentionally nefarious move designed to mess with consumers?”

The article you’re responding to says (backed up by the linked article):

“This particular rootkit constantly listens for commands that could allow a computer to secretly execute files or even send computer files to a remote computer.”

How in blue f*ck is it not intentionally nefarious? What other possible reason could there be for remote command execution capability in a driver for a device that does not actively need to interact with the computer?

sysadmn says:

Re: Re: Ugh. The Techdirt decline continues.

The “intentionally nefarious” refers to Energizer’s intentions. It doesn’t seem likely that they slipped the trojan dll into the package. Sure, they’re responsible, since they are distributing it, but there is a difference between negligence and “intentionally nefarious”.

RD says:

Re: Re: Re: Ugh. The Techdirt decline continues.

Sure, they’re responsible, since they are distributing it, but there is a difference between negligence and “intentionally nefarious”.

Not from the perspective of the CONSUMER. To the consumer, who got this thing FROM Energizer, whether it was “intentional” or not is irrelevant. Its got a rootkit, it comes from Energizer itself, therefore its nefarious/unwanted/unneeded/bad. We can argue about how this happened, but its still Energizers FAULT from the point of view of the consumer.


Full stop.

End of line.


Brooks (profile) says:

Re: Re: Re:2 Ugh. The Techdirt decline continues.

Nobody but you is talking about FAULT. This entire post (read it again) is about intent, and Mike ascribes intentionality (“you would think legit companies would have learned”) where there is only negligence and clumsiness. It’s sloppy thinking at best, and more than a little dishonest.

Anonymous Coward says:

Re: Re: Re:4 Ugh. The Techdirt decline continues.

Where do we draw the line between, “it’s the employees” vs “it’s the corporation itself.” Isn’t the corporation composed of employees? I understand that sometimes employees do wrong things and that one shouldn’t always directly criminalize top management for the actions of employees (and it’s even worse to criminalize Google executives for the actions of their users), provided that management took reasonable steps to ensure malicious behavior isn’t a problem and didn’t contribute or encourage such behavior, but where do we draw the line between the corporation and its members? When the stock holders do something wrong? When the CEO? The CFO? When 5 percent of the corporation makes act maliciously towards their customers? 10 percent? Where exactly?

Brooks (profile) says:

Re: Re: Ugh. The Techdirt decline continues.

As others have noted, while Energizer shipped the software, nobody thinks for a second that the inclusion of the rootkit was intentional or corporate policy. That’s in contrast to Sony and other DRM abuse cases which were clearly designed and implemented as policy.

The *rootkit* is malicious, of course. Energizer, as a company, was the victim of a sloppy or malicious contractor as well as their own negligence. Surely you can see the distinction there?

rpk!! says:

Re: Ugh. The Techdirt decline continues.

Is accidental release of a rootkit that much better? I don’t enegizer as an innocent bystander whether the release was intentional or not! Don’t they have some sort of obligation (if not moral, then an interest in not losing customers) to make sure their products are safe to use?

Anonymous Coward says:

Re: Re: Ugh. The Techdirt decline continues.

Finding malicious code isn’t as easy as many people would like to believe. If you’re building it yourself there are steps you can take (peer review, version control, etc) to minimize the chances of something slipping in, but this DLL was bought from someone else, which isn’t surprising considering that Energizer isn’t in the software business. And finding it afterwards is really hard — there’s a whole Industry built around doing just that. Energizer is responsible for alerting customers and removing the offending code (which they’ve done), but it’s hard to even fault them with negligence here.

Technopolitical (profile) says:

Re: Ugh. The Techdirt decline continues.

“But an intentionally nefarious move designed to mess with consumers? A comparison to the Sony debacle? Really?”

Not the point of Mike’s post as i see it .

The point as stated in the source article:
“I certainly wouldn’t want my USB charger to download and execute files without my knowledge, or indeed send my files to a remote location.”

That is the big deal.

interval says:

Re: Re:

The exploit is a trojan, this story first appeared on /.

You don’t need the software to use the recharger. I don’t really know much other than that; for an “informed opinion” I would guess that it went down like this: Energizer is populated with pre-internet execs; some bright star in the R&D group said “Hey, why don’t pop out this usb recharger, it will cost almost nothing to develop, and we can include in all kinds of special projects, giveaways, promotions, etc.” The execs said “Sure, anything that promotes Energizer is good.” Then a sales man from a third party got involved with this “new project” from Energizer and said “Hey! We’d like to produce software for your new little dongle thingy there.” And the execs thought “USB == pc == software. We need software for this new product. Ok.” So the third part sniffed around E. Europe or Asia for anything they could quickly pack into the package because this particular dongle DOESN’T REQUIRE ANY. Doesn’t matter what the software does. All they needed to do was deilver “software” to Energizer to make a buck. This bundle was no doubt in my mind almost 100% profit for them. Energizer, not being a software company, probably gave the bundle little (if any) QA, and viola! Trojan delivery system.

Steve R. (profile) says:

Belkin - Bad

We had a Belkin UPS that went bad. The good news is that Belkin honored its warranty and replaced the unit. The BAD news, Belkin had modified the (new) UPS model so that you would have to use THEIR software instead of the regular windows power management software.

It took several hours of frustrating tweaking before I figured it out. Of course the UPS documentation never mentioned the little detail that the ability of the UPS to work directly with Windows was “disabled”.

Chronno S. Trigger (profile) says:

I stumbled upon this the other day

I’ll probably never find the article again so you can chose to believe or disbelieve anything I say.

From what I read, the root kit wasn’t suppose to be there, it was a hack and was only on a select few of the chargers. They have recalled the affected lots and will be replacing them with working ones. This was from a representative of Energizer, so I doubt it’s the full truth, if any at all.

Anonymous Coward says:

Sorry guys, you can't get one as a gift for your boss. It's discontinued :-(

Energizer discontinued the device earlier this month. Still, it was introduced in 2007, and you have to think there may be a lot of vulnerable systems out there.


I’m off to eBay…

SomeGuy (profile) says:


I have to say I’m really disappointed in this post, Mike, mostly because of the reference to the Sony Rootkit. With Sony, they intentionally placed software on their CDs to enforce DRM, and then hid it with a rootkit. Sony was fully aware of what they did and fully intended the software to function as it did. In Energizer’s case, they’ve been the victim of a disgruntled or rogue employee (or a shady company, I’m not clear on that detail) and were unknowingly saddled with malicious code. Whether that code was “necessary” to run the device or not (it wasn’t) is a moot point, Energizer is essentially innocent here, and is responsible only for alerting their customers and removing the offending code, which they’ve done.

There was no malicious intention with Energizer, and missing that point (and in fact strongly implying otherwise) hurts your credibility.

Anonymous Coward says:

Re: Updated

…Now if we could get you to stop calling it a Rootkit just to create a catchy title and make the association with Sony.

It’s not a rootkit. Hell, the word “rootkit” doesn’t even appear on the page you linked to. It’s simply a Trojan.

Yes, there is a difference and it does matter. I guess it’s just not as easy to link Energizer with the Sony rootkit with an accurate title like “Energizer lets malware slip into its software”.

ECA (profile) says:

I looked at this device.

1. the program is supposed to tell you when the Batteries are charged.
2. Thats nothing, as its TIMED, not really a charge CONTROL program as you cant Vary the voltage or check tha battery.
3. GET A REAL SMART CHARGER, they are $30 at amazon from La Crosse Tech..
4. ANY of the chargers at the store are CRAP. They work on a timer for the charge. They cant even tell you if the battery is ALREADY charged.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...