

Energizer battery charger contains backdoor - raptrex
http://blogs.zdnet.com/security/?p=5602&tag=wrapper;col1

======
vog
The real security nightmare here is the requirement to install _extra
software_ just to use a _plain battery charger_.

I'm still wondering how many commodity devices come with a "driver CD". In the
last 5-10 years I never needed any of them, as the devices were already fully
supported on my Debian system. And I'm sure that is the case for MacOS and
Windows, too.

The only interesting part of such a CD is the online manual, which is
hopefully available as PDF and doesn't require any special software to read
it.

~~~
shpxnvz
And, in my personal experience, in every case (excepting video cards) where
I've had a choice between native OS support and a vendor provided driver, the
vendor software is far worse - buggy, ugly, obtrusive, and usually stuffed
with multiple "value-added" programs I don't want.

~~~
Zak
I've had that experience with video cards too, on Linux with an ATI FireGL
v5200:

Built-in (open-source) driver: not great performance, but usable.

ATI driver: suspend/resume broken, frequent lockups requiring anything from
connecting via SSH from another machine and killing the process to a hard
reboot, and finally discontinuation of driver support about a year after the
card was off the market (just in time for a version of X requiring new
drivers).

I have a new laptop equipped with a FireGL v5700. Last I checked, the open-
source drivers didn't provide 3D acceleration, so I suppose ATI's driver is
better despite still having the above-mentioned issues.

------
olalonde
I really wonder how the backdoor got there in the first place.

~~~
kjhgfvbhn
The only machine in the factory in the cheap third world country with a CD
burner was also the only one connected to the internet - so was the one that
the techies browsed porn on and so was infected with everything.

ps. if you think this is unlikely - take a look at the crap on your
CEO/CFO/salesman's laptops sometime.

~~~
ShabbyDoo
Unlikely given the Symantec analysis. The DLL which listens on 7777 had a
specific reference to the Energizer USB device. So, if it was a 3rd party
attack, it would have to be an extremely targeted one.

------
sh1mmer
How does code like that get in a system from a major corporation?

Is this an outsourcing/supplier issue, or something related to Energizer's own
staff?

~~~
kaitnieks
My guess is that whoever made the installer had his computer infected. Not all
companies have strict rules about what can be on the computer (or developers
choose to not follow them and find ways around their enforcements) and this
can be one of the downsides. I can't guess whether they virus-scanned the
installation or not because it's quite possible that the trojan was new and
not being picked up by scanner when they released the charger.

~~~
kaitnieks
Ok, I found this analysis by Symantec which makes the whole thing less naive
than I originally thought: [http://www.symantec.com/connect/fr/blogs/trojan-
found-usb-ba...](http://www.symantec.com/connect/fr/blogs/trojan-found-usb-
battery-charger-software)

~~~
sh1mmer
They indicate a Liu Hong seems to have authored the install package. No
indication if he was a Energizer employee or not.

------
motters
The tale of how this backdoor got into a battery charging product is going to
be interesting to hear.

------
tewks
This is a fairly important issue seeing as everyone is pushing towards USB-
only charging. There are even USB charging ports on airplanes now.

Plugging in your device, with the intent of charging, shouldn't implicitly
grant the host the right to install software or access files on the guest.

The USB protocol doesn't seem properly designed for this use case: I should be
able to plug in to charge without having to worry about security holes.

~~~
panic
This isn't an issue with the USB protocol. The software has to be installed
manually, and should not even have been included (why do you need special
software to charge batteries?)

~~~
tewks
There is still a remaining issue with plugging in devices, especially cameras
and phones, where the charger has the opportunity to inappropriately, given
the context, access the filesystem: software can maliciously be installed a
result.

When wanting to charge a camera on an airplane, for instance, the user
shouldn't be left to guess if his photos are going to be copied off the
device.

~~~
noonespecial
You can easily solve this problem by getting a usb cable without data wires. A
few things I have came with these included with the charger. It pissed me off
at first because they look like regular usb cables and I tried to hook up a
disk drive. I marked them with a big X but soon realized how handy they could
be when I wanted to charge a media player from a laptop I knew had some
issues.

I've done surgery with a razor and some good shrink tube twice now to make
more of these little gems.

Smarter devices like my Palm Pre actually ask if you want to let the host
connect to them or just take power.

~~~
Kliment
If I understand the USB spec right, getting more than 100mA of power requires
a negotiation with the host, thus data wires. There might be a market for a
USB data blocker, a device that negotiates the 500mA output with the host and
with the guest but does not pass through any data.

~~~
idm
USB data blocker - totally awesome idea. It could double as a protocol sniffer
if it had a buffer.

~~~
Kliment
See, a blocker and a sniffer would have almost entirely opposite functions.
Both are cool devices that could be built from essentially the same hardware,
so you do have a point there, but I wouldn't combine the two. Too easy to end
up doing the wrong thing and compromising your data.

------
marltod
I don't understand why you would plug a battery charger into a USB port? How
many people don't have an extra power plug, but do have a laptop that they are
going to let run for hours to charge their AA batteries.

~~~
lutorm
If you are on the move it can be quite handy. Instead of dragging N wall warts
with you (esp. if you're traveling internationally, as the cheap ones often
are 110V only), you just use your laptop as a universal power adapter.

But that's one thing. To get _power_ out of a usb port, you don't need to
install any software. And that's what blows my mind, why would you even want
to install some software to run a battery charger??

~~~
cryptnoob

        To get power out of a usb port, you don't need to install 
        any software. And that's what blows my mind, why would 
        you even want to install some software to run a battery 
        charger??
    

You are right. The 5V and GND are right there. You don't need to enumerate the
device at all. Just tap the power and be on your way. A lot of cheap products
to that..

However, there are two reasons that you shouldn't do that, and why you need
your device to actually enumerate itself on the users system.

The important reason, is to insure that the 500mA you think you have coming to
you, is actually delivered. Technically, a motherboard can choose to assume
you are broken, and disable the USB port, if you draw more than 100mA and
haven't identified yourself as a high current device. Almost nobody actually
does this, but the risk is there.

The 2nd reason is so you can place the little USB-IF logo on your product,
reassuring people that your product complies with the USB specs. This logo, in
the early days of USB, was very important. It's less so now. If you want it,
you need to enumerate within $time (I forget the number of milliseconds) after
you begin drawing power. If you don't, USB-IF doesn't like you and you can't
put the logo on your product.

Both items 1 and 2 could be accomplished using just the USB controller in the
USB device, with no driver needed ... But only if the USB controller lied
about who it was. It would have to say, "I'm a hard disk", or "I'm a speaker".
As soon as you lie, you're also not USB-IF compliant. Plus, it will look
pretty unprofessional to have your battery charger show up on the hardware
manifest as a hard drive. It would have been better to not enumerate at all,
then to do that.

So, you need to supply a driver, if you're doing something that every OS
doesn't have drivers for already, even if technically, it's not required.

So, really, this was Bill Gates fault. I knew we could lay this one on him if
we dug deep enough. Windows should ship with OS drivers for USB battery
chargers. Curse you Bill Gates, curse you.

~~~
vog
Can't these these issues be solved by registering to the USB controller as
"battery charger" and ignoringing the OS?

~~~
tedunangst
The USB spec doesn't include a class for battery charger.

------
ShabbyDoo
The design of the trojan is odd. According to the Symantec analysis, it did a
bunch of xor's on request/replies as a sort of obfuscation. Given the
available commands all had GUID "magic numbers", only someone who had analyzed
the source code could exploit the backdoor. If one did that, he surely would
have observed the xor-ing and could easily add it into his trojan client. If
the author wanted to be sure that his botnet was not hijacked, he should have
made the trojan check signatures of instructions to verify origin.

Perhaps the xors were there to obfuscate the data on the wire so the
nefariousness of the open port would not be so obvious to net admins? However,
given that most companies would not forward 7777 traffic through their
firewalls, this trojan was probably targeted toward home users without
firewalls. Or, maybe it was designed as an exploit to be used after another
means was used to get inside a corporate firewall?

Also, given that probably only a few computers out of a million had this
trojan installed with 7777 available on the public 'net, how much effort would
be required to portscan machines just to identify botnet members? And, was
this even a true botnet? The built-in commands seemed to be designed around
data harvesting (for identity theft?).

This whole design is very strange to me.

------
Kliment
Wow. Any ideas on how this got there? I just don't see the motivation there.
Rogue addon at the factory? I don't see what use a battery manufacturer would
have from a remote backdoor. I thought USB battery chargers were "dumb"
devices.

~~~
axod
>> "I thought USB battery chargers were "dumb" devices."

They are, but they offer "software" for stupid people who like installing
crap. (I actually own this battery charger, it's pretty neat).

~~~
Kliment
Oh, by "dumb" I meant that they do not actually exchange data with the host,
just their device descriptor. Having read the Symantec link elsewhere in the
comments, I see this is indeed the case. So you actually have to download the
software yourself?

~~~
ZachPruckowski
Yeah, you download the software yourself from the internet.

That said, it appears that the charger does communicate with the software on
the host computer to tell it how well charged the batteries are.

------
yread
_We were interested in finding out how long this file had been available to
the public. The compile time for the file is May 10, 2007_

That's a looong time before anybody found out

------
raptrex
Symantec did an analysis on the Trojan:
[http://www.symantec.com/connect/fr/blogs/trojan-found-usb-
ba...](http://www.symantec.com/connect/fr/blogs/trojan-found-usb-battery-
charger-software)

