Schneier on Security
A blog covering security and security technology.
« PDF the Most Common Malware Vector |
| Electronic Health Record Security Analysis »
March 23, 2010
Back Door in Battery Charger
The United States Computer Emergency Response Team (US-CERT) has warned that the software included in the Energizer DUO USB battery charger contains a backdoor that allows unauthorized remote system access.
That's actually misleading. Even though the charger is an USB device, it does not contain the harmful installer described in the article—it has no storage capacity. The software has to be downloaded from the Energizer website, and the software is only used to monitor the progress of the charge. The software is not needed for the device to function properly.
Here are details.
Energizer has announced it will pull the software from its website, and also will stop selling the device.
EDITED TO ADD (3/23): Additional news here.
Posted on March 23, 2010 at 6:13 AM
• 27 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Really? A trojan in //battery charging software//?
Maybe operating systems where we can't install software really are the future...it prevents stupidity like this.
I think the question to be asking now is: Was it an Energizer employee or someone that somehow gained access to their networks? If it was an employee did Energizer's upper management know about this?
Vodafone distributed a card with a combo of Mariposa, conficker and even a Lineage password thieft with an HTC cell phone.
I'm curious, what do you think it would happen in US if, say, AOL did that?
Thank you Sir...
You echo my very thoughts when I read the article. The advice is written in a way that is misleading. It initially sounded either like conspiracy theory or movie plot material.
Not sure how I would take it if it was my product. Would I sue the people that spread the idea that my hardware equipment is spreading malware... although it is computer related, it is not a computing device...
I think this greatly diminishes their engineering team...
Seems like something in the chain of trust is definitively broken. I am wondering whether they had exported their programming to some outside vendor. Although not very critical since the number of people affected is somewhat small, it is another vector of attack (at least for me). Open source software is really the only trusted solution (if someone looks at the code to check for issues, but ubuntu and others do have some intelligent means to ensure authenticity). Any software on the internet needs to use hashes to verify authenticity, even if it wouldn't directly solve this problem. A more important thing is to establish a chain of trust and make companies responsible.
I'll get in befor Nick P does.
But even though this was a "dummy", in terms of what an I/O level connected device can do, it is not the first time we have seen Malware hidden on such devices and nor will it be the last.
The current usual two sugestions to get around the problem are,
1, Signed code.
2, User space I/O.
With a little thought you will realise the first does not in anyway solve the bad code problem, only limit the routes by which it can get onto a PC.
The second whilst usefull for multi-user machines is actually of little or no use on a single user PC wher the Malware is actually after the "user files".
We are at a point in time where Malware is starting to be used for Intel gathering (the modified ZeuS Malware that targeted .mil and .gov to vacume up documents and PDFs being one recent publicised example).
We need to step ahead of the curve and sort out not just OS's issues but all the legacy code issues.
The fact that the APT people are making a lot of noise and pointing fingers (possibly in the wrong direction) does not make them compleatly wrong in all they say...
All of your once trusted corporate reputations are belong to us!
@Clive "Signed code."
Will work only when and if people bother to check the the signature. And before someone says well this is consumer code - only dumb users fail - lemme remind us all of the Sendmail trojan. A full MONTH that compromised tarball sat on sendmail's distribution server. All those downloads by *nix admins and no one bothered to confirm the hash?
Thinking on it now though it would likely be a prudent act of QA--BY THE VENDOR--to check the distribution package signature periodically to ensure no tampering had occured.
Like The Register sez "Do you really want to trust the security of your PC to a battery maker?"
Odds are pretty good that the entire product is outsourced, with Energizer serving as little more than a "franchise" brand that gets slapped on at the end. That would explain why they took the drastic action of pulling everything: that's all they control. If they had any knowledge of the inner workings of the software or the hardware, you'd think an easier fix would be available to them. If they were trying to contact the original vendor for a fix, that would also explain their delays in taking action.
They're going to stop selling it? Cool, they should be available 2 for $5 at Woot.com in a couple of months.
@IS: yeah, I don't think Energizer actually makes much of anything anymore. In fact most US brands are just label printers.
@ BF Skinner,
"Thinking on it now though it would likely be a prudent act of QA--BY THE VENDOR--to check the distribution package signature periodically to ensure no tampering had occured."
It would be a start (though why the QA people are not doing it already is beyond me).
Of course this is just the tip of the iceburg as it where with the problems of signed code.
The simple fact that code is signed boes not make it good, it just says that somebody signed it on such and such date with their key...
That is there is no reason to think the code is not malicious or does not contain exploitable mistakes (the chances are better than even that it has one or the other for moderate to large code bases and might have both or atleast several exploitable mistakes).
The question falls to how do you keep out bad code from your code base.
Currently this tends to fall to simplistic "code reviews". Which as it's a dull and fairly tedeious task is generaly not done at all well.
That is those doing the code review are very unlikley to be the best programers in the place which means a good programer can "get one by" with little difficulty.
Which means that other methods have to be found (formal methods come to mind but... they are still an "unknown land" for most code cutters).
Part of the problem is a lack of "defensive programing" skills amongst code cutters and even today not handeling exceptions properly...
More qudos appears to go to writing "re-useable" code that tries too hard to be all things to all programs, thus carries "excess baggage" in which exploits can often be found.
As a rough rule of thumb only 10% of errors are down to "business rule errors", which oddly is where 90% of the effort is spent...
What really baffles me is that they thought they needed to ship software for this device at all. It is perfectly possible to charge devices via USB without any sort of software. At the best this was only going to be needless eyecandy and bloat. That they push this on consumers at all is rather distasteful I think.
more amusing, or unsettling, are the number of companies pushing firmware updates without any checksum, let alone gpg/pgp signed files, and you're expected to trust the files provided as is, trust their servers haven't been rooted, trust...
and most of your firmware for your devices is proprietary, another area where backdoors thrive, google for news on cisco backdoors for one reference.
proprietary software: backdoored for your own protection! proud chest thumps to follow message and a waving flag and merry song with much hand holding.
@Clive "though why the QA people are not doing it already is beyond me"
Yeah how about that?
With one client we were getting killed on quarterly tests. XSS, buffer overflows, CSRF, SQL injections (this was last year!)
I approached the test lead about her team taking over security testing. I mean security configurations, patches and all that...that's system dev ain't it?
I've often been accused of being logical but I thought that security testing should parallel the release schedule in this case--monthly.
Her response was "Well we don't know how and I'd have to hire someone who knows what to do."
My client was only spending 11 mil a year on this system -- function rules and QA/SEC and all the other "they'll just say no" IV&V people take a back seat. Course I remember when CM was just a bunch of binders sitting in the office of ol' What-does-he-do-again? (nice guy actually)
Firstly Energizer had nothing to do with this, they never see the product until it hits Walmart's shelves. They just get a small % for licensing their 'trusted name' on a product. This is true of pretty much any low tech product you see on a shelf.
It shipped with software to add value, a simple charge graph, it's much cheaper to do this in software than add a screen to the product and allows you to differentiate this from all the other $5 chargers.
Assuming this wasn't done deliberately. The driver CD was prepared on a PC at a discount manufacturer in China, probably the only PC in the shop with a CD burner and internet access. Imagine what level of 'hygiene' applies to this machine.
Code signing wouldn't help - the shop zips up the directory with the driver and any virus, signs it and ships it. You just know that no 3rd party interfered with the virus on it's way to you.
This also applies to all of us. When you burn a CD for a customer or upload a new download to your website how do you know the machine you are doing it from is clean? You can run virus scanners but they don't catch everything.
Do you reinstall the machine from original MS cd's everytime? How do you apply updates without connecting the machine to the net? Do you just trust your corporate firewall to protect it ?
"Firstly Energizer had nothing to do with this, they never see the product until it hits Walmart's shelves."
If they are willing to license their brandname to others, they should be willing to accept blame for bad things that are done in their name. It is their fault for not taking any measures to ensure that their brand was not being abused.
If I let ghost-writers write a book for me, don't bother to proofread it, then later find out the book contains plagiarism, then it is my own fault for not reviewing the work I contracted. Any blame would rightfully fall on me.
@NobodySpecial "Energizer had nothing to do with this"
Thank you Ward. They must pay you a lot to troll blogs.
I think jgreco has the right of it from both ethical and legal points of view. You can't subcontract out from under your duties and responsibilities.
But I think you've missed something here. Not only did they distribute the software with the goods...it was on their WEBSITE FOR DOWNLOAD. For weeks. even after they were -repeatedly- notified of it.
Re: "When you burn a CD for a customer " Why yes we do. We don't burn on back office PC's. Our production servers are clean, stripped down (Win and *nix) read only OS's. We test each production run for media that goes out the door. Had that been done this trojan would have been detected. And we aren't a company with over 3 billion (US$) in annual revenue.
I don't think that anybody would disagree that Energizer will have to take the bullet; I think it'll just be interesting to see how this plays out. There have been a slew of recent recalls for other "outsourced" products due to improper manufacturing standards (e.g., lead paint), but this is the first one that I can think of that might have a software component to it. It is a stark reminder of how going after the too-good-to-be-true cheapest solution can end up costing you in the end.
@ Impossibly Stupid,
"I don't think that anybody would disagree that Energizer will have to take the bullet;"
Hmm I wouldn't be to sure on that. I've been in and out of the "engineering sub-contractor game" for many years, some involving safety systems.
When you read the contracts with a jaundiced eye you often find hidden away that you take on responsability for "all prime contractor lossess" if "the prime contractor can show you where the cause of penalties"...
If they want to pay for my experiance then they either re-negotiate or I say "no thanks". I don't need to take on 10million of risk for a 0.4million contract...
There are a few people with large enough "brass ones" or desperate enough to do it. But they are setting themselves up for a fall.
"... but this is the first one that I can think of that might have a software component to it."
Think back a few years to Apple having to sort out a problem where a subcontractor in the supply chain was installing PC Malware on systems which docked to PC's...
"It is a stark reminder of how going after the too-good-to-be-true cheapest solution can end up costing you in the end."
The trouble is "9 out of ten cats are grey in the dark" and accountants won't "turn on the light" to get a better look, or ask the advice of someone who has...
Also you used to get into the "sharpen you pencil" game.
When you go back to a supplier time after time they tend not to provide you with "lean and mean get the job" prices.
So as an engineering manager you are used to sending out for quotes to three or four different known suppliers and going with the lowest cost.
The theory is that the prefered supplier will "sharpen their pencil" the next time they are asked to quote, if they lose this one.
However some people over egg the pudding and send out phoney jobs for quote.
Suppliers quickly recognise these type of people and put in spoilers and droppers. That is they will deliberatly quote low on what they think is such a job knowing that in all probability they won't get called on it.
However if they do, it's only a quote not a signed contract so they can pull out simply by saying that in the mean time they have had other work come in to "fill the shop" etc etc...
Since China has been getting in the act though there is a lot lot less of the spoiling going on, but beware as you say sometimes you "get what you pay for" in ways you realy don't want, such as saving 2USD/item on production but having to do "full inventory goods inward test" at 4USD an item...
"Hmm I wouldn't be to sure on that."
I didn't mean in the legal sense, I meant in the court of public opinion. Just like with Toyota, it isn't so much the problem and the minutia of assigning fault, but the way it gets handled by the brand. It's a bit early to say Energizer is going to make the same mistakes as Toyota, but the lesson is there about how their brand will suffer as a result.
"Think back a few years to Apple having to sort out a problem where a subcontractor in the supply chain was installing PC Malware on systems which docked to PC's..."
But they didn't pull the iPod (or iPhone or whatever it was) off the market as a result. They took steps to fix it, and that counts a lot from a brand reputation standpoint. Energizer would have come off looking a lot better if they were quicker to suspend the download and then quick to issue a fix. Killing the product completely just leaves people feeling that they'll get no support if they purchase some other Energizer product.
"So as an engineering manager you are used to sending out for quotes to three or four different known suppliers and going with the lowest cost."
And I would maintain that making a decision on a single dimension like price is exactly the kind of short-sighted mistake that ends up destroying companies in the long run. You seem to acknowledge that when you mention that suppliers end up being unreliable or the product ends up being shoddy. I'd say that happens often enough these days that whole premise of "lowest bidder" needs to be re-examined, in much the same way that it is smarter for a consumer to pick most products based not on price but on total cost of ownership.
If I were Energizer, I'd come clean as quickly as possible with as much technical detail about what happened as possible. This will only become a big story if there's any hint of a cover up or attempt to sweep it under the rug.
Why would I want to tie up a $300-2000 computer to charge batteries in the first place? I have these neat things around the house that distribute power in huge quantities and they cost about $0.57 apiece - called "electrical outlets" or "sockets". And when I install battery chargers on them it doesn't even access the internet; furthermore, the overhead of operating one is .00000001% that of a PC, or even a Mac! Not to mention I have 20 times as many of them and they are available in every room - bathrooms, the basement and the garage, even outside the house or in the cars (with an inverter, although converting 12Vdc into 120Vac in order to convert it back to 5Vdc would bother me academically). For that matter you can get a solar battery charger for
Did the company state why they did such a thing?
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.