Whatever the pros and cons of smoking e-cigarettes, they have undoubtedly been a big hit with smokers looking to either kick their habit, or at least to mitigate its health risks.
Now, most businesses are very aware risks of the risks items such as USB thumb drives can be their systems, as these are a notorious vector for spreading computer viruses, and have instituted strict policies about their use (although personal users remain at high risk).
It now seems, however, that hackers in China have found a new means of infecting computers with viruses, using cheap pieces of hardware that many users would not even conceive of as threat – cheap e-cigarette chargers!
‘An IT guy’ explained on Reddit how he or she discovered the threat (formatted for ease of reading),
‘I have a story I wanted to share about a data security breach at a large corporation. One particular executive had a malware infection on his computer from which the source could not be determined. The executive’s system was patched up to date, had antivirus and up to date anti-malware protection. Web logs were scoured and all attempts made to identify the source of the infection but to no avail.
Finally after all traditional means of infection were covered; IT started looking into other possibilities. They finally asked the Executive, “Have there been any changes in your life recently”? The executive answer “Well yes, I quit smoking two weeks ago and switched to e-cigarettes”.
And that was the answer they were looking for, the made in china e-cigarette had malware hard coded into the charger and when plugged into a computer’s USB port the malware phoned home and infected the system. Moral of the story is have you ever question the legitimacy of the $5 dollar EBay made in China USB item that you just plugged into your computer? Because you should, you damn well should.’
A security consultant for Trend Micro, Rik Ferguson, confirmed to the Guardian that the story was highly plausible, citing a 2008 incident where a virus was discovered on the installer for a Samsung digital photo frame.
Combined with a recent proof-of-concept attack (BadUSB) in which a USB control chip can be programmed to act as a keyboard and then send key-commands to open malware (Windows no longer auto-runs content stored USB drives), Ferguson sees every reason to beware of such an attack,
‘Very widely spread USB controller chips, including those in thumb drives, have no protection from such reprogramming… Production line malware has been around for a few years, infecting photo frames, MP3 players and more, and a very strong case can be made for enterprises disabling USB ports, or at least using device management to allow only authorised devices.’
Using up-to-date anti-malware software is always a must, although only using products by respected brand-name manufacturer and bought over the counter from trusted retailers (i.e. not ordering cheap Chinese alternatives from eBay) is also a good idea.
For simply charging a device, using a USB wall adapter instead of plugging the device into a computer should be safe, although the more paranoid might consider purchasing a ‘USB Condom’, which blocks the data pins on any USB cable.