Energizer battery charger contains backdoor
- Thread starter D69
- Start date
abstract
Dagobah Resident
Seemed like a clever idea, i suppose.
How many people own a computer? Many.
How many devices use batteries? Many.
How many people are dumb enough to buy something so suspicious? (charging batteries on your computer...how lazy are we? Next thing will be a USB microwave...)
Many.
Sometimes it pays not to run out and buy the latest gadget? :P
How many people own a computer? Many.
How many devices use batteries? Many.
How many people are dumb enough to buy something so suspicious? (charging batteries on your computer...how lazy are we? Next thing will be a USB microwave...)
Many.
Sometimes it pays not to run out and buy the latest gadget? :P
dant
The Living Force
This incident exposes a major point and certainly Energizer
[Bunny] is not alone and probably won't be the last.
How does one (the "average joe") really know what software can
be trusted, including those from well-known name brands? Your
hacker can be anyone... and perhaps those who download updates
from trusted names are potentially at risk? Who is to say "they"
won't "slip a mickey" in when the timing is right (software can be
added in/removed on the fly and/or dormant and in wait of activation)?
Seems that most of us at the mercy of independent watch-dogs to warn
"us" of these dangers, and hopefully can be caught in time before the real
damage is done?
Or so it seems,
Dan
[Bunny] is not alone and probably won't be the last.
How does one (the "average joe") really know what software can
be trusted, including those from well-known name brands? Your
hacker can be anyone... and perhaps those who download updates
from trusted names are potentially at risk? Who is to say "they"
won't "slip a mickey" in when the timing is right (software can be
added in/removed on the fly and/or dormant and in wait of activation)?
Seems that most of us at the mercy of independent watch-dogs to warn
"us" of these dangers, and hopefully can be caught in time before the real
damage is done?
Or so it seems,
Dan
Yeah this thing really begs for serious legal action. This is not a "bug", this is deliberate code introduced to act as a backdoor and listen on port 7777, just like any "trojan" does that lets others connect to remote control someone's PC.
dant
The Living Force
Perhaps, one needs to prove there is a law against what
Energizer (or any vendor) is/was doing that it was done
intentionally and for nefarious purposes?
Also, one has to define what a "backdoor" is, as there are many,
both legal and illegal, right? I guess it depends on who benefits,
like the NSA, CIA, ..., hackers, ... but I digress.
This has been going on for quite some time, and Energizer was
not the first, nor will be the last, it is a recurring theme. You might
notice that with most software being installed, there is usually an
EULA "contract" which indemnifies the licensor, and to otherwise
hold the licensor harmless, and for any damages? Also, most point
out: you have the right to refuse the EULA, and to refuse to install the
software, right? But these are legalese to protect the vendor, not the
end user, perhaps?
Network ports are fair game, are they not, and do you want the
politicians to define for us, what those rights are? Perhaps vendors
would scream that attempts to define laws in these areas might stifle
"innovation" and the "free markets"?
How does one go about the potentially millions of vendors that uses
these network ports, including vendors that provide the operating
systems and to add to it, their use of these ports? Do they have the
right to do so?
Does anyone remember the "thousands" of updates from M$ claiming
"security hole" fixes? Why is no one prosecuting M$ for these "damages",
after the fact? Sounds like M$ is covering up their ...? Or are they?
The devil is in the details, or so it seems...
FWIW,
Dan
Energizer (or any vendor) is/was doing that it was done
intentionally and for nefarious purposes?
Also, one has to define what a "backdoor" is, as there are many,
both legal and illegal, right? I guess it depends on who benefits,
like the NSA, CIA, ..., hackers, ... but I digress.
This has been going on for quite some time, and Energizer was
not the first, nor will be the last, it is a recurring theme. You might
notice that with most software being installed, there is usually an
EULA "contract" which indemnifies the licensor, and to otherwise
hold the licensor harmless, and for any damages? Also, most point
out: you have the right to refuse the EULA, and to refuse to install the
software, right? But these are legalese to protect the vendor, not the
end user, perhaps?
Network ports are fair game, are they not, and do you want the
politicians to define for us, what those rights are? Perhaps vendors
would scream that attempts to define laws in these areas might stifle
"innovation" and the "free markets"?
How does one go about the potentially millions of vendors that uses
these network ports, including vendors that provide the operating
systems and to add to it, their use of these ports? Do they have the
right to do so?
Does anyone remember the "thousands" of updates from M$ claiming
"security hole" fixes? Why is no one prosecuting M$ for these "damages",
after the fact? Sounds like M$ is covering up their ...? Or are they?
The devil is in the details, or so it seems...
FWIW,
Dan
WIN 52
The Living Force
I have just been thinking of this and more.
Now, I am not a computer geek, for lack of a better word. My computer experience is one of plug and play and if the directions are not clear, I am stumped. It would be so easy for some one who knew what they were doing, like my brothers and sisters (computer geeks, and we all laugh about their classification though they are whizzes with programing), to get all of my information off of my computer.
I need to rely on an expert when it comes to programing issues with my computer. Anything like this could easily get in without me even knowing. That being said, I understand this. Consequently, I do not have any private info on my computer and I should not keep that here, no matter what. Not that there is anything of value other than information about personal thoughts.
Thanks for bringing this up. Homeland security legislation in the USA will probably have this put in automatically before you even get your PC now.
Now, I am not a computer geek, for lack of a better word. My computer experience is one of plug and play and if the directions are not clear, I am stumped. It would be so easy for some one who knew what they were doing, like my brothers and sisters (computer geeks, and we all laugh about their classification though they are whizzes with programing), to get all of my information off of my computer.
I need to rely on an expert when it comes to programing issues with my computer. Anything like this could easily get in without me even knowing. That being said, I understand this. Consequently, I do not have any private info on my computer and I should not keep that here, no matter what. Not that there is anything of value other than information about personal thoughts.
Thanks for bringing this up. Homeland security legislation in the USA will probably have this put in automatically before you even get your PC now.
D69
Dagobah Resident
heh theres more :D NSA CIA etc. will have a hard time to get to those backdoors since after an announcment there has beed Metasploit module released that exploit flaws in this energizer backdoor.
For all interested , details here : __http://packetstormsecurity.org/filedesc/energizer_duo_payload.rb.txt.html
This means that this backdoor has already been dissected by not-gov hackers ;)
Also if its about other mobile devices and its backdoor issues , there are many discovered all the time.
For example 2 days ago : __http://www.theregister.co.uk/2010/03/09/vodafone_mariposa/
Ill keep you updated if anything interesting happens ;)
edit:
New event (yesterday) ;)
_http://www.thenewnewinternet.com/2010/03/10/researchers-create-mobile-botnet-with-weather-app/
Harold
Jedi Council Member
Hello, great morning to rip the little bunny a new one... lol. I just keep thinking of this little .dll (..... whats it stand for? Dynamic link language?)something or other file marching right in banging on his cute little trogan drum just like in the commercial. I wonder if thats what the programmer was thinking when they installed this pre-packaged little ditty. I try to imagine what took place for it to be installed, was it in the specifications. Did a programmer just add it, and not document it? Was it part of another program that was cannibalized to create this one. I don't want to speculate but someone somewhere wrote that code, the irony of the iconic bunny now having another more meaningful image of a trogan contraption is not lost on me this morning. If the wrong person plugs this little jizmo into lets say a computer in the wrong place at the wrong time.
This just strenghtens my resolve to stay as low tech as possible, but where is the balance point?
cheers,
Harold
This just strenghtens my resolve to stay as low tech as possible, but where is the balance point?
cheers,
Harold
drygol said:Heh , and its getting better and better.
I wonder who exactly puts them (backdoors) in.
They are becoming desperate to steal ever thing with a hope that they can hide behind the CONTROL , so they are using every possible device they can find for that purpose. Fortunately, they are running out of ideas.
abstract said:
From a Big Brother point of view, it's a fabulous idea.
From a technical POV, it's an absolutely god-awful idea to have any software at all involved. USB ports can be used to only supply power to a device. You just don't connect the data lines from the USB plug inside your gizmo, and you're done. No malware worries. No software to write. That would obviously reduce the cost of the device, as well. So it's pretty laughable that they'd even think of producing something like this.
Really makes ya wonder what with the news of the back door in the software...
D69
Dagobah Resident
If i understood you correctly , then i cannot agree on that , there are plenty of USB devices with MBR on it (especially flash drives) so with autorun feature you can easily upload anything you want onto target PC. As an example GSM modems that has drivers built in on flash mem.
There is also another aspect of this case , I am not defending BigBrother at all but you should also consider possibility of payed cracker who broke into energizer and put this code himself for later use.
This is also very common scenario , so imo we shouldn't blame everything on BB - just my 5 cents
rs
Dagobah Resident
I agree that it was deliberately done, but I disagree that Energizer was responsible or even knew. Not that this excuses them, but I think that for Energizer this was simple carelessness ("what could go wrong, its so simple!") on their part. Energizers testing is likely to go like this: we wanted a programmable battery charger; the software acts as a programmable battery charger like we asked; Done. After all, they make batteries, which is chemistry, not technology widgets made with software. It is another whole level of difficulty requiring rather specialized skills to perform the necessary testing looking for additional, unintended behavior like the spyware that also came along with the install. If Energizer did this, it is a particularly sloppy implementation, unlike the truly amazing root kit install that Sony developed for their "music piracy" copy management.Laura said:
Many consumer products that interface to a computer come with install disks where the software also comes from China. I do not buy any product like this or allow these "applications" or "drivers" to be installed on my computer. For example, you can buy a lot of "toy" cameras that are USB interfaces that come with "drivers". Except that there is absolutely no need for such a thing since at this point the USB software standard includes mass storage (to make it look like a disk drive so you can see/copy/delete the pictures) or also as a web camera. Since these interfaces are part of the USB standard, there is no need for additional software and any product that comes with a disk from China with "drivers" on it is automatically suspect in my book.
What I think happened here is that Energizer was casual and naive and got burned. They subcontracted out the entire implementation and their contractors they dealt with in China were connected to criminal elements who planted the spyware. I do not think this was a Chinese Military operation because if it were, it would have been MUCH more difficult to find. Believe me, the Chinese Military is all over the computer infrastructure of the entire planet, particularly (of course) in the USA, and they do a much better job of gaining access and hiding their tracks.
I think that Energizer was stupid and this was simply a crime of opportunity. It is almost certain that there are other instances of this where the software implementation was far more sophisticated, and so have not been discovered yet.
Trending content
-
Thread 'Coronavirus Pandemic: Apocalypse Now! Or exaggerated scare story?'
- wanderingthomas
Replies: 30K -
-
