Energizer's USB DUO Battery Charger
What you don't know can hurt you as anyone hit by a virus or Trojan horse can tell you. I have had to clean up enough violated PCs to know that attacks like these need to be avoided at almost any cost. Unfortunately malware and viruses can show up from almost any computer-based product like Energizer's USB DUO Battery Charger. It is an issue that embedded developers need to address when creating new products.
The USB DUO Battery Charger hardware is actually a nice idea. It recharged AA and AAA NiMH batteries. It was the software that was infected with a backdoor file, arucer.dll, that accepts connections on port 7777. The software installs on Microsoft Windows platforms. The problem child is setup to run (check out the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key) when the system boots by the the UsbCharger.dll also installed by the software.
The issue is not unique. In 2007 and 2008 a rash of similar problems arose with multimedia picture frames. Likewise, it is not uncommon on buy a flash memory stick or digital camera that comes with software in its flash memory that is installed every time the device is plugged into a PC. The culprit tends to be Microsoft Windows autorun facility. Windows 7 and Vista do a better job at stopping this attack vector and it is best to disable this facility.
Energizer has discontinued the product and the online version of the application has been removed as well. The US-Community Emergency Response Teams (CERT) provided a warning about the problem and Energizer is working with officials to determine how the infected software was introduced into the supply chain unlike the Sony BMG CD rootkit scandal where a rootkit was intentionally included with the product. Unfortunately bad technical decisions like Sony's are not unique. Take the Lower Merion School District's policy to use laptop cameras to try to recover stolen laptops. A nice idea gone wrong when it can be used as a spy device.
Hardware and software developers now need to be careful about a range of activities from how clean their development, test and deployment systems are to making management aware of the issues associated with products being developed. Shipping devices that are susceptible to or carriers of these types of problems can come back and haunt a company. I recently looked at some NAS boxes that have a great user interface and link to the Internet to provide even more services. They also ship with Telnet and SSL servers running and a fixed root password. It is great from an open source development environment but it is equivalent to Energizer's problem, a hole that very few know about.
Bottom line. Consider security for a product from all angles even if it is not readily apparent that issues exist. Simple fixes or early decisions can often minimize or eliminate future problems.
