Energizer Introduces USB Battery Charger With Bonus Rootkit Feature [Update]
from the keeps-going-and-going-and-going dept
Update: As lots of folks are pointing out in the comments, this appears to have been included by some third party or disgruntled employee or something, rather than Energizer itself. Energizer has recalled the products and is investigating. Apologies for suggesting that this may have been intentional on Energizer's part. The original post follows: Someone, who prefers to remain anonymous, alerts us to the news that Symantec has discovered that a USB battery charger from Energizer installs a dangerous rootkit after installing the required driver. You would think that legit companies would know better than to install a secret rootkit after the Sony rootkit fiasco from a few years back. This particular rootkit constantly listens for commands that could allow a computer to secretly execute files or even send computer files to a remote computer. Not exactly the kind of stuff you want installed on your computer. The Energizer Bunny might keep going and going and going, but there are some things it's not supposed to do...Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: rootkit, security, usb battery charger
Companies: energizer
Reader Comments
Subscribe: RSS
View by: Time | Thread
The fun part
[ link to this | view in chronology ]
Re: The fun part
[ link to this | view in chronology ]
Who Owns Your Computer?
As a long time Linux user, I've never used the software that comes with USB devices - camera, printer, MP3 player.
I was amused to find that every one of these applications, when properly installed on Windows machines, finds some way to spam the user. In the case of Kodak, it sends every picture the user emails wrapped in a big advertisement for Kodak products.
Nice...
[ link to this | view in chronology ]
Re: Who Owns Your Computer?
[ link to this | view in chronology ]
Re: The fun part
SANDBOXIE.COM
CHECK IT BEFORE YOU WRECK IT.
ROOTKIT SHMOOTKIT.
CBMHB
[ link to this | view in chronology ]
Re: Re: The fun part
[ link to this | view in chronology ]
More interesting, is the malevolent DLL (Arucer.dll) is almost an anagram of "Duracell"
[ link to this | view in chronology ]
Re:
"We also saw from the manufacturer’s website that the software is not distributed with the physical USB charger itself and instead it must be downloaded separately from the site"
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
now think about rsa power cracking
[ link to this | view in chronology ]
i mean, WHY?
What the fuck is the point in this? are companies full of damned idiots?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
"What the fuck is the point in this? are companies full of damned idiots?"
The short answer? Yes.
[ link to this | view in chronology ]
Re: "full of idiots?"
Certainly there are a few bright, reliable, well-intentioned talented individuals who do good work repeatedly; but they are a definite minority.
[ link to this | view in chronology ]
Ugh. The Techdirt decline continues.
But this? Really? A quality control and PR disaster for Energizer, sure. A lesson in the dangers of outsourcing software development? Sure.
But an intentionally nefarious move designed to mess with consumers? A comparison to the Sony debacle? Really?
That's just flat out dishonest, Mike. Either produce some evidence that it was intentional, which nobody but you has suggested, or take a deep breath and consider the possibility that not every corporate mistake is with malicious intent.
[ link to this | view in chronology ]
Re: Ugh. The Techdirt decline continues.
"But an intentionally nefarious move designed to mess with consumers?"
The article you're responding to says (backed up by the linked article):
"This particular rootkit constantly listens for commands that could allow a computer to secretly execute files or even send computer files to a remote computer."
How in blue f*ck is it not intentionally nefarious? What other possible reason could there be for remote command execution capability in a driver for a device that does not actively need to interact with the computer?
[ link to this | view in chronology ]
Re: Re: Ugh. The Techdirt decline continues.
[ link to this | view in chronology ]
Re: Re: Re: Ugh. The Techdirt decline continues.
Not from the perspective of the CONSUMER. To the consumer, who got this thing FROM Energizer, whether it was "intentional" or not is irrelevant. Its got a rootkit, it comes from Energizer itself, therefore its nefarious/unwanted/unneeded/bad. We can argue about how this happened, but its still Energizers FAULT from the point of view of the consumer.
Period.
Full stop.
End of line.
QED.
[ link to this | view in chronology ]
Re: Re: Re: Re: Ugh. The Techdirt decline continues.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Ugh. The Techdirt decline continues.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Ugh. The Techdirt decline continues.
[ link to this | view in chronology ]
Re: Re: Ugh. The Techdirt decline continues.
The *rootkit* is malicious, of course. Energizer, as a company, was the victim of a sloppy or malicious contractor as well as their own negligence. Surely you can see the distinction there?
[ link to this | view in chronology ]
Re: Ugh. The Techdirt decline continues.
[ link to this | view in chronology ]
Re: Re: Ugh. The Techdirt decline continues.
[ link to this | view in chronology ]
Re: Ugh. The Techdirt decline continues.
Not the point of Mike's post as i see it .
The point as stated in the source article:
"I certainly wouldn’t want my USB charger to download and execute files without my knowledge, or indeed send my files to a remote location."
That is the big deal.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
You don't need the software to use the recharger. I don't really know much other than that; for an "informed opinion" I would guess that it went down like this: Energizer is populated with pre-internet execs; some bright star in the R&D group said "Hey, why don't pop out this usb recharger, it will cost almost nothing to develop, and we can include in all kinds of special projects, giveaways, promotions, etc." The execs said "Sure, anything that promotes Energizer is good." Then a sales man from a third party got involved with this "new project" from Energizer and said "Hey! We'd like to produce software for your new little dongle thingy there." And the execs thought "USB == pc == software. We need software for this new product. Ok." So the third part sniffed around E. Europe or Asia for anything they could quickly pack into the package because this particular dongle DOESN'T REQUIRE ANY. Doesn't matter what the software does. All they needed to do was deilver "software" to Energizer to make a buck. This bundle was no doubt in my mind almost 100% profit for them. Energizer, not being a software company, probably gave the bundle little (if any) QA, and viola! Trojan delivery system.
[ link to this | view in chronology ]
Belkin - Bad
It took several hours of frustrating tweaking before I figured it out. Of course the UPS documentation never mentioned the little detail that the ability of the UPS to work directly with Windows was "disabled".
[ link to this | view in chronology ]
I stumbled upon this the other day
From what I read, the root kit wasn't suppose to be there, it was a hack and was only on a select few of the chargers. They have recalled the affected lots and will be replacing them with working ones. This was from a representative of Energizer, so I doubt it's the full truth, if any at all.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Mike are you reading???.....
Not to say Energizer isn't a cluster fuck of company, for letting this out. But shit happens....
[ link to this | view in chronology ]
Not intentional
http://phx.corporate-ir.net/phoenix.zhtml?c=124138&p=irol-newsArticle&ID=1399675 &highlight=
http://consumerist.com/2010/03/energizer-duo-exploit.html
[ link to this | view in chronology ]
Sorry guys, you can't get one as a gift for your boss. It's discontinued :-(
http://www.prnewswire.com/news-releases/energizer-announces-duo-charger-and-usb-charger-so ftware-problem-86672072.html
I'm off to eBay...
[ link to this | view in chronology ]
Disappointed
There was no malicious intention with Energizer, and missing that point (and in fact strongly implying otherwise) hurts your credibility.
[ link to this | view in chronology ]
Updated
[ link to this | view in chronology ]
Re: Updated
It's not a rootkit. Hell, the word "rootkit" doesn't even appear on the page you linked to. It's simply a Trojan.
Yes, there is a difference and it does matter. I guess it's just not as easy to link Energizer with the Sony rootkit with an accurate title like "Energizer lets malware slip into its software".
[ link to this | view in chronology ]
Re: Updated
Also very misleading.
[ link to this | view in chronology ]
I looked at this device.
2. Thats nothing, as its TIMED, not really a charge CONTROL program as you cant Vary the voltage or check tha battery.
3. GET A REAL SMART CHARGER, they are $30 at amazon from La Crosse Tech..
4. ANY of the chargers at the store are CRAP. They work on a timer for the charge. They cant even tell you if the battery is ALREADY charged.
[ link to this | view in chronology ]
Re: I looked at this device.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Ultimate responsibility
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]