Energizer USB Battery Charger Taken Off Market For Security Vulnerability - HotHardware
Energizer USB Battery Charger Taken Off Market For Security Vulnerability

Energizer USB Battery Charger Taken Off Market For Security Vulnerability

Energizer has discontinued the sale of its Duo Charger/USB Charger due to a vulnerability in the Windows-based software that was supposed to be downloaded to support it.

The devices allowed users to charge nickel metal hydride batteries from either a wall socket or a USB connection. The documentation with the charger suggested users download software from www.energizer.com/usbcharger (the page has since been taken down). The software allowed the user to view the charging status from a computer.

A code was inserted in the software - Windows version only - that contained a backdoor allowing unauthorized remote system access. Simply removing the software won't completely remove the vulnerability, either. A file, Arucer.dll, may be left behind and can be found in the Windows system32 directory. The CERT Coordination Center said the file won't be executable once the software is removed, but suggested removing the file anyway.



Windows XP SP2 and later systems have a firewall that would alert the user the first time the software is used that the app was requesting permission to run. If the user did not grant permission for Arucer.dll to run, the system would have remained safe from the vulnerability.

The CERT warning gave directions on how to block or restrict network access, as well.
0
+ -

Sheesh. A battery charger that's a security risk. What a world.

And of course, since UAC has us trained to click "Allow" every time its dialog box comes up, most people probably didn't think twice about allowing yet another unfamiliar part of Windows to access the Internet. I'd honestly have to say that I'd have clicked "Allow."

0
+ -

rofl very true when our battery chargers are security vulnerabilities what do we do. Of course I have never used a USB battery charger or even considered it, although on Sarah's and Amber's phone it is an option to plug them into USB to charge them. It only works with that cell phone (ENV3) specifically though.

0
+ -

Clem: No kidding. Why the heck does the thing even require a driver in the first place? It should be able to pull power from the USB socket without having any sort of software on the machine.

0
+ -

:D joel its for the status when its like 50%, 10% i guess.

I don't get how they had a backdoor to somehting so simple as to tell the status form a usb device... :D

@clem I would of pressed allowed too Smile i do so for all big companies that's been around for a while :D

0
+ -

Arucer.dll = r.duracell ? hehe

0
+ -

Good anagram there, 3vi1!

0
+ -

^^^^^ 3vi1.. Stick out tongueBig Smile

Would it not be a lot simpler to have a LED indicator on the USB device itself, like those dell & duracell batteries having a indicator?

0
+ -

That's not really Plug&Play-Nice? Is it?

Just imagine when we have 5GBps internet, the world can attack faster than you can blink!

0
+ -

So what's the origin of this software? Did someone writing code at the company do this intentionally? Did they 'cut and paste' (not unheard of in this day and age) some code that they found on the internet and modify it for their devices use?

Is there any record of this exploit being used by anybody? Does the exploit 'phone home' to announce it's availability?

I'd like to know more about this.

0
+ -

The USB ports make sense to me as chargers because there every where. The new USB 3 ones will be way more efficient, and backwards compatible by default with USB 2. The charging pad thin is not really making sense to me though.

Why would as a charger which I have to plug into the wall and lay something on to charge it. This is instead of in course just plugging it into the wall with the included charging cord lol.

I also don't get the driver thing either. If I plug something into a USB port the computer recognizes it, and while it may ask me for a confirmation or which path I want to take with it. It in general needs no extra drivers unless it is an active device such as a mouse cam keyboard etc.

So having to have a driver for a charger seems stupid to me. Not to mention Sarah and Amber's Env3 have USB charging capability by default. You just plug them in and the charge nothing needed.

0
+ -

It is not really a driver but a software application that give a time remaining to full charge status on the batteries while they charge. I ran across this because I was looking for the appdownload. Now it is not available. Shame... it was nice to have and the hack can be defeated by simply blocking port 7777.

Here's a picture of the computer display:

http://cfgt.net/blog/wp-content/uploads/2008/05/usbcharger_app.jpg

But the charger still works fine without the software (it also can simply be plugged into the wall with the adapter provided) because it has an LED that flashes when the battteries are charging and goes solid once fully charged.

Just wish I had saved the download...

Login or Register to Comment
Post a Comment
Username:   Password: