Energizer confirms software vulnerability in Duo charging software
By Donald Melanson 
posted March 8th 2010 4:19PM
posted March 8th 2010 4:19PM
Energizer's Duo USB battery charger has been around for a couple of years now, but the company has just now fessed up to a fairly significant vulnerability in the software for the device after being informed of the problem by CERT. While the software was intended to simply let you keep watch on the battery charging status, it apparently also opened up a backdoor that allowed commands to be executed remotely, including the ability to list directories, send and receive files, and run programs. That vulnerability is only found in the Windows version of the software, and Energizer has already discontinued the product altogether and removed the download from its website. Anyone that already has the software installed is advised to first uninstall it and then remove the Arucer.dll file from the Windows system32 directory.
[Thanks, Michael]
[Thanks, Michael]
What so instead of fixing it they just discontinue it and say sucks for you to the current owners? Great customer care!
They discontinued a product just because the software has a completely fix-able bug in it? Pathetic.
So people with this product aren't going to be able to use it? Energizer didn't even make a tool to un-install it completely! How are novice users supposed to know where their sys32 directory is?
@MoonWalkerCTE I really do wish you would stop posting, every time you touch that keyboard it gets down-ranked into oblivion. I think 4chan might be better suited for you.
@MoonWalkerCTE
It's hilarious... just simply charging batteries via USB can lead to backdoor hacking and data-mining...
No one thought this could be an issue? No one???
It's a good idea to charge via USB, of course... (not the backdoor hacking - that was a bad judgment call there)... a little tech support, patch fix would have sorted this out, sure, but you can't help to overlook the possibility of a stronger attack through this vehicle of charging, now can you?
@MoonWalkerCTE
Canon did this to the SD430 Wireless. When Vista and IE 7 came out, they basically said screw it, we're done, and support beyond Windows XP and IE 6 was cut even though the camera was relatively new.
I can't believe huge companies can get away with crap like this.
@bazookafx3
yeah and you would know lol :P
@MoonWalkerCTE
I think there is more to this then what meets the eye
aka somebody was up to no good.
How do you let this happen? Has anyone you ever heard of Quality Control? Or testing?
And why does that program have need admin rights on my PC anyways? Crappy programming...
This kind of "bug" happens on it's own or is it more plausible that someone put it in there? Legit question, I'm a newb at software-related stuff.
@kitsune
yes some one could have done it on purpose but I think it was just poorly written.
"Anyone that already has the software installed is advised to first uninstall it and then remove the Arucer.dll file from the Windows system32 directory." WTF so even if a regular user uninstall the app they still have to delete the Arucer.dll file. I think this should be added in the next batch of spyware/virus definitions.
THAT WAS THE POINT OF THE SOFTWARE :d
arucer.dll = anagram for Duracell minus one "r"
@dingus the truth is unveiled
@dingus
nice conclusion
@dingus oh. god. this must not get out. We need to act fast beforrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
@dingus, that one R comes from the ® sign. Technically, it's an anagram of Duracell®.
@dingus THE PLOT THICKENS!
@tekdemon mind=blow.
Energizer bugs just keep going and going...
Don't touch my backdoor!
That's what she said... or he said?
In other news, Duo hackers keep going, and going, and going.
Well who the hell wants to monitor this nonsense anyway. The led indicator is more than adequate. Just because I can do something on my PC does not mean I am going to.
@glamajamma I installed it like an idiot. I thought it was going to do something extra, then saw what it did and uninstalled it right away, totally useless.
Energizer batteries,
Lead to hacked PCs...
I feel a song comin' on.
I thought Dou was a great way to charge on the go so now I gotta go delete it from all my pcs. Why did it take so many years for this to backdoor to be discoverd.
Anyone still curious should know that there is absolutely no legitimate use for these pieces of code in a piece of software like this. This is a trojan horse, pure and simple. more info: http://www.bleepingcomputer.com/startups/Arucer.dll-22584.html
Will never use rechargable batteries again, especially non-eneloops. Bought like 20 of various named brand rechargable batteries, and they die in a few days even when they were freshly charged.
@touchmygadget Generaly they are generally put in to allow the software to check a site for updates. Now, this software must just leave that door wide open, rather than just checking once per session/user defined period. Add to that, the poor code that requires admin access and more that likely a nice exploitable memory leak or six and you have one hell of an invitation to hackers.
So they're not going to issue a patch, have removed the software from their site and are advising people to uninstall it from their systems, and to not use it anymore? Even after uninstalling you still have to remove a file manually? Bravo Energizer...
I think I'll stick with Duracell and chargers that go in my wall, and not my PC.
This has been reported elsewhere not as a vulnerability, but an actual trojan that phones home on the web and awaits instructions to download its payload.
ouch
What the heck is this thing anyway? Isn't it just a battery charger? Why need software for it? The charger that I use just plugs into a wall outlet.
I've had one of these for a couple of years now. I installed the software, found that it did nothing useful, and removed it. As I recall, all it did was report the charge state of the battery, which is quite evident from the LED on the charger. I wondered why they offered it, I guess now I know why. In the US at least these came with an AC adapter to let you charge from a wall outlet as well as charge from a USB port. They're actually a pretty handy device for keeping portable mouse batteries charged.