Energizer battery charger contains backdoor

The real security nightmare here is the requirement to install <i>extra software</i> just to use a <i>plain battery charger</i>.<p>I'm still wondering how many commodity devices come with a "driver CD". In the last 5-10 years I never needed any of them, as the devices were already fully supported on my Debian system. And I'm sure that is the case for MacOS and Windows, too.<p>The only interesting part of such a CD is the online manual, which is hopefully available as PDF and doesn't require any special software to read it.

I really wonder how the backdoor got there in the first place.

How does code like that get in a system from a major corporation?<p>Is this an outsourcing/supplier issue, or something related to Energizer's own staff?

The tale of how this backdoor got into a battery charging product is going to be interesting to hear.

This is a fairly important issue seeing as everyone is pushing towards USB-only charging. There are even USB charging ports on airplanes now.<p>Plugging in your device, with the intent of charging, shouldn't implicitly grant the host the right to install software or access files on the guest.<p>The USB protocol doesn't seem properly designed for this use case: I should be able to plug in to charge without having to worry about security holes.

I don't understand why you would plug a battery charger into a USB port? How many people don't have an extra power plug, but do have a laptop that they are going to let run for hours to charge their AA batteries.

The design of the trojan is odd. According to the Symantec analysis, it did a bunch of xor's on request/replies as a sort of obfuscation. Given the available commands all had GUID "magic numbers", only someone who had analyzed the source code could exploit the backdoor. If one did that, he surely would have observed the xor-ing and could easily add it into his trojan client. If the author wanted to be sure that his botnet was not hijacked, he should have made the trojan check signatures of instructions to verify origin.<p>Perhaps the xors were there to obfuscate the data on the wire so the nefariousness of the open port would not be so obvious to net admins? However, given that most companies would not forward 7777 traffic through their firewalls, this trojan was probably targeted toward home users without firewalls. Or, maybe it was designed as an exploit to be used after another means was used to get inside a corporate firewall?<p>Also, given that probably only a few computers out of a million had this trojan installed with 7777 available on the public 'net, how much effort would be required to portscan machines just to identify botnet members? And, was this even a true botnet? The built-in commands seemed to be designed around data harvesting (for identity theft?).<p>This whole design is very strange to me.

Wow. Any ideas on how this got there? I just don't see the motivation there. Rogue addon at the factory? I don't see what use a battery manufacturer would have from a remote backdoor. I thought USB battery chargers were "dumb" devices.

<i>We were interested in finding out how long this file had been available to the public. The compile time for the file is May 10, 2007</i><p>That's a looong time before anybody found out

Symantec did an analysis on the Trojan: <a href="http://www.symantec.com/connect/fr/blogs/trojan-found-usb-battery-charger-software" rel="nofollow">http://www.symantec.com/connect/fr/blogs/trojan-found-usb-ba...</a>