Energizer DUO USB Battery Charger Software Allows Remote System Access

The United States Computer Emergency Readiness Team (US-CERT), a department of US Homeland Security, announced that it is aware of a backdoor in the software for the Energizer DUO USB battery charger. This backdoor may allow a remote attacker to list directories, send and receive files, and execute programs on an affected system. The software, which has been discontinued, was available for both Windows and Apple® Mac OS X versions.

Energizer introduced the Duo Charger in the United States and the USB Charger in Latin America, Europe and Asia in 2007. Both products charge Nickel Metal Hydride batteries from both a wall outlet and a USB connection. The product included a feature that would allow the user to view the battery charging status on a computer if associated software was installed. The Duo Charger product documentation referenced www.energizer.com/usbcharger to download the software. The site offered downloadable software in both Windows and Apple versions; however only the Windows version contained the vulnerability.

Energizer has discontinued sale of this product and has removed the site to download the software. In addition, the company is directing consumers that downloaded the Windows version of the software to uninstall or otherwise remove the software from your computer. This will eliminate the vulnerability. In addition CERT and Energizer recommend that users remove a file that may remain after the software has been removed. The file name is Arucer.dll, which can be found in the Window system32 directory.

Energizer is currently working with both CERT and U.S. government officials to understand how the code was inserted in the software.