Energizer USB Battery Charger Taken Off Market For Security Vulnerability

rated by 0 users
This post has 11 Replies | 0 Followers

Top 10 Contributor
Posts 25,697
Points 1,157,145
Joined: Sep 2007
ForumsAdministrator
News Posted: Mon, Mar 8 2010 4:51 PM
Energizer has discontinued the sale of its Duo Charger/USB Charger due to a vulnerability in the Windows-based software that was supposed to be downloaded to support it.

The devices allowed users to charge nickel metal hydride batteries from either a wall socket or a USBconnection. The documentation with the charger suggested users downloadsoftware from www.energizer.com/usbcharger (the page has since beentaken down). The software allowed the user to view the charging statusfrom a computer.

A code was inserted in the software - Windowsversion only - that contained a backdoor allowing unauthorized remotesystem access. Simplyremoving the software won't completely remove the vulnerability,either. A file, Arucer.dll, may be left behind and can be found in theWindows system32 directory. The CERT Coordination Center said the filewon't be executable once the software is removed, but suggestedremoving the file anyway.



Windows XP SP2 and later systems havea firewall that would alert the user the first time the software isused that the app was requesting permission to run. If the user did notgrant permission for Arucer.dll to run, the system would have remainedsafe from the vulnerability.

The CERT warning gave directions on how to block or restrict network access, as well.
  • | Post Points: 155
Top 150 Contributor
Posts 639
Points 7,630
Joined: Jul 2009

Sheesh. A battery charger that's a security risk. What a world.

And of course, since UAC has us trained to click "Allow" every time its dialog box comes up, most people probably didn't think twice about allowing yet another unfamiliar part of Windows to access the Internet. I'd honestly have to say that I'd have clicked "Allow."


"I didn't cry when Bambi's mother was shot... but I cried when HAL was turned off."

  • | Post Points: 5
Top 10 Contributor
Posts 4,814
Points 45,635
Joined: Feb 2008
Location: Kennesaw
rapid1 replied on Mon, Mar 8 2010 6:18 PM

rofl very true when our battery chargers are security vulnerabilities what do we do. Of course I have never used a USB battery charger or even considered it, although on Sarah's and Amber's phone it is an option to plug them into USB to charge them. It only works with that cell phone (ENV3) specifically though.

OS:Win 7 Ultimate 64-bit
MB:ASUS Z87C
CPU:Intel(R) Core(TM) i7 4770 ***
GPU:Geforce GTX 770 4GB
Mem:***ingston 16384MB RAM
  • | Post Points: 5
Top 500 Contributor
Posts 90
Points 945
Joined: Jan 2010
Location: Calgary, AB
JoelB replied on Mon, Mar 8 2010 6:18 PM

Clem: No kidding. Why the heck does the thing even require a driver in the first place? It should be able to pull power from the USB socket without having any sort of software on the machine.

  • | Post Points: 5
Top 25 Contributor
Posts 3,764
Points 40,470
Joined: Jan 2010
Location: New York

:D joel its for the status when its like 50%, 10% i guess.

I don't get how they had a backdoor to somehting so simple as to tell the status form a usb device... :D

@clem I would of pressed allowed too Smile i do so for all big companies that's been around for a while :D

  • | Post Points: 5
Top 10 Contributor
Posts 5,053
Points 60,700
Joined: May 2008
Location: U.S.
Moderator
3vi1 replied on Mon, Mar 8 2010 10:13 PM

Arucer.dll = r.duracell ? hehe

What part of "Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn" don't you understand?

++++++++++++[>++++>+++++++++>+++>+<<<<-]>+++.>++++++++++.-------------.+++.>---.>--.

  • | Post Points: 20
Top 500 Contributor
Posts 194
Points 1,430
Joined: Mar 2009
Location: Bengalooru (Bangalore), India
Xylem replied on Mon, Mar 8 2010 11:24 PM

^^^^^ 3vi1.. Stick out tongueBig Smile

Would it not be a lot simpler to have a LED indicator on the USB device itself, like those dell & duracell batteries having a indicator?

Travel Rig |Acer Aspire One - ZG5 Mods so far |Toshiba MK4009GAL 40GB.4 - port USB HUB with BT, Touchscreen & GPS. 1GB RAM upgrade. | 

Main Rig |Core 2 Quad Q6600(3.2GHz), 2x2GB OCZ Reaper 800 MHz RAM, 19" AOC 913FW, 2 x 500GB WD HDD & 2 x 1TB WD Green, nVIDIA 8600GT 1GB

Suzuki Swift GTi | 2008 Version | Lots of mods in pipeline.

  • | Post Points: 5
Top 75 Contributor
Posts 1,809
Points 18,105
Joined: May 2009
Location: Waikiki

That's not really Plug&Play-Nice? Is it?

Just imagine when we have 5GBps internet, the world can attack faster than you can blink!

Intel Core i7-875K Quad
Asetek 510LC 120MM
4GB Kingston Hyper-X DDR-3
ASUS P7P55D-E Pro
CyberPower 800 PSU
Kingston 64GB SSD 
2 Hitachi 1-TB HDD'S
FirePro V8800
8X Blu-Ray DVD±R/±RW
HPw2207 22" LCD
Cintiq 21UX
CoolerMaster 690II Advance
Win 7 Pro 64 bit
Special thanks to HotHardware.com!
  • | Post Points: 5
Top 150 Contributor
Posts 639
Points 7,630
Joined: Jul 2009
ClemSnide replied on Tue, Mar 9 2010 10:54 AM

Good anagram there, 3vi1!


"I didn't cry when Bambi's mother was shot... but I cried when HAL was turned off."

  • | Post Points: 5
Top 10 Contributor
Posts 8,563
Points 103,070
Joined: Apr 2009
Location: Shenandoah Valley, Virginia
MembershipAdministrator
Moderator
realneil replied on Tue, Mar 9 2010 11:40 AM

So what's the origin of this software? Did someone writing code at the company do this intentionally? Did they 'cut and paste' (not unheard of in this day and age) some code that they found on the internet and modify it for their devices use?

Is there any record of this exploit being used by anybody? Does the exploit 'phone home' to announce it's availability?

I'd like to know more about this.

Dogs are great judges of character, and if your dog doesn't like somebody being around, you shouldn't trust them.

  • | Post Points: 5
Top 10 Contributor
Posts 4,814
Points 45,635
Joined: Feb 2008
Location: Kennesaw
rapid1 replied on Tue, Mar 9 2010 1:22 PM

The USB ports make sense to me as chargers because there every where. The new USB 3 ones will be way more efficient, and backwards compatible by default with USB 2. The charging pad thin is not really making sense to me though.

Why would as a charger which I have to plug into the wall and lay something on to charge it. This is instead of in course just plugging it into the wall with the included charging cord lol.

I also don't get the driver thing either. If I plug something into a USB port the computer recognizes it, and while it may ask me for a confirmation or which path I want to take with it. It in general needs no extra drivers unless it is an active device such as a mouse cam keyboard etc.

So having to have a driver for a charger seems stupid to me. Not to mention Sarah and Amber's Env3 have USB charging capability by default. You just plug them in and the charge nothing needed.

OS:Win 7 Ultimate 64-bit
MB:ASUS Z87C
CPU:Intel(R) Core(TM) i7 4770 ***
GPU:Geforce GTX 770 4GB
Mem:***ingston 16384MB RAM
  • | Post Points: 5
Not Ranked
Posts 1
Points 5
Joined: Mar 2010

It is not really a driver but a software application that give a time remaining to full charge status on the batteries while they charge. I ran across this because I was looking for the appdownload. Now it is not available. Shame... it was nice to have and the hack can be defeated by simply blocking port 7777.

Here's a picture of the computer display:

http://cfgt.net/blog/wp-content/uploads/2008/05/usbcharger_app.jpg

But the charger still works fine without the software (it also can simply be plugged into the wall with the adapter provided) because it has an LED that flashes when the battteries are charging and goes solid once fully charged.

Just wish I had saved the download...

  • | Post Points: 5
Page 1 of 1 (12 items) | RSS