Energizer Duo charger security exploit discovered

Go to:
Previous Item	Current News	Next Item

Energizer's Duo battery charger has been withdrawn from sale. Photo provided by Energizer Holdings Inc.

Energizer Duo charger security exploit discovered
By Mike Tomkins
(Sunday, March 7, 2010 - 23:33 EST)

Energizer Holdings Inc. and the Department of Homeland Security's United States Computer Emergency Readiness Team have jointly announced the discovery of a security exploit in the company's Duo charger software distribution.

According to US-CERT, the application - which provides an indication of battery charge level on an attached PC - includes a backdoor that listens for incoming connections on TCP port 7777. Once connected, a remote computer can access files and directories or execute programs without the local user's knowledge or authorization. While the battery status software wasn't included in the product bundle, it was offered for free download from the company's website, as referenced by the product manual.

Energizer states that it has now withdrawn the charger from sale, and removed the software download from its website. The company goes on to note that the exploit exists only in the Microsoft Windows-compatible version, which it is directing consumers to remove from their computers. At the current time there is no warning on the front page of the Energizer site, however, and with the product page having been removed entirely, the only public notice is to be found in a press release located in the company's media center.

It is important to note that simply using the software's uninstaller function may not be enough to secure a system from attack. Both CERT and Energizer are recommending customers subsequently check for the presence of a file named Arucer.dll in the windows/system32 directory after uninstalling the application. Until this file is removed, unauthorized access is still possible.

The Energizer Duo Charger carries model number CHUSB, and first shipped from April 2007 with a $14 pricetag, inclusive of two 900mAh AA NiMH batteries. The charger does continue to function without the software installed, and includes a status light with which to indicate when charging is completed. There isn't a way to confirm current charge level without the software installed, however. Energizer has not yet stated if it intends to return full functionality for Windows users, which would require that the company release a patched version of the battery status monitor application with the exploit removed.

Energizer's Duo battery charger, which has been withdrawn from sale.
Photo provided by Energizer Holdings Inc.

Original Source Press Release:

Energizer Announces Duo Charger and USB Charger Software Problem

ST. LOUIS, March 5, 2010 /PRNewswire via COMTEX/ -- Energizer has been informed by the CERT Coordination Center (CERT) that the Windows software that was referenced and made available via a download with its Duo Charger, Model CHUSB, contains a vulnerability. Energizer introduced the Duo Charger in the United States and the USB Charger in Latin America, Europe and Asia in 2007. Both products charge Nickel Metal Hydride batteries from both a wall outlet and a USB connection. The product included a feature that would allow the user to view the battery charging status on a computer if associated software was installed. The Duo Charger product documentation referenced www.energizer.com/usbcharger to download the software. The site offered downloadable software in both Windows and Apple(R) versions; however only the Windows version contained the vulnerability.

Energizer has discontinued sale of this product and has removed the site to download the software. In addition, the company is directing consumers that downloaded the Windows version of the software to uninstall or otherwise remove the software from your computer. This will eliminate the vulnerability. In addition CERT and Energizer recommend that users remove a file that may remain after the software has been removed. The file name is Arucer.dll, which can be found in the Window system32 directory.

Energizer is currently working with both CERT and U.S. government officials to understand how the code was inserted in the software. Additional technical information can be found at http://www.kb.cert.org/vuls/id/154421.

Energizer Holdings, Inc. (NYSE: ENR), www.energizer.com, headquartered in St. Louis, Missouri, is one of the world's largest manufacturers of primary batteries, battery-powered devices and flashlights. Energizer, a global leader in the dynamic business of providing portable power geared toward the new digital age, offers a full portfolio of products including the Energizer(R) MAX(R) premium alkaline brand; Energizer(R) Ultimate Lithium; Energizer(R) Advanced Lithium and Nickel Metal Hydride (NiMH) Rechargeable batteries and chargers; and miniatures brand batteries.

The Energizer product line also includes specialty batteries for hearing aids and medical devices, as well as for keyless remote entry systems, toys and other uses. Through its flashlight unit, Energizer brings innovation to this important household device. Energizer continues its role as a technology leader with Energizer(R) Energi To Go(R), a portable battery-driven power pack for cell phones.

Windows is a registered trademark of Microsoft Corporation in the United States and other countries.
Apple is a trademark of Apple Inc., registered in the U.S. and other countries.
SOURCE Energizer Holdings, Inc.

The battery status application for the Duo charger.
Photo provided by Energizer Holdings Inc.

Go to:
Previous Item	Current News	Next Item