It has become commonplace for people to switch to e-cigarettes in an attempt to curb the harm to their health that smoking causes. Vaping has become incredibly trendy, allowing people to enjoy a realistic smoking experience with a massive variety of flavors. In places such as the UK – where there is a total ban on smoking in (indoor) public places – this allows people to continue with their vice without the risk of incurring a fine under the smoking ban.
Now, however, new evidence has emerged that e-cigarettes may be causing an entirely different kind of damage to their users’ health, namely their digital health. Saving their bodies from cancer is a great priority, but e-cigarette smokers may be shocked to find out that it is possible to hide malware on a vaping device.
The latest discovery was made by a security researcher called Ross Bevington, who spoke at the B-Sides London security convention last week. During that talk, the UK-based researcher revealed just how easy it is to modify a device so that it can infect its user’s computer.
The problem arises from the ability to charge an e-cigarette’s lithium ion battery via a USB port. This gives the innocuous device a direct method for infecting a computer with malware. According to Bevington, the modified vape cigarette could be used to fool a computer into thinking it is a keyboard, or even a mouse.
More worryingly, according to the security researcher, a vape pen could be used to monitor people’s network traffic, theoretically allowing a hacker to steal usernames, logins, passwords, and even credit card details.
Although the risks are small (because the malware has to get onto the device in the first place in order to infect a computer) there is a risk of infection for people who buy an e-cigarette second hand, or from a deep web vendor. In addition, even on eBay, there are a number of vendors selling powerful modified and home made e-cigarettes.
For cybercriminals who want to spread malware, this provides an easy method for malware dissemination, and it is not just the e-cig owner’s computer that could fall prey. Hackers comprehend that the simple act of charging a vape device while at a friend’s house could lead to multiple victims for them to target.
The Malicious Friend
Perhaps the biggest danger comes in the form of a tech savvy friend with malicious intent. Modifying an e-cigarette is not a difficult thing to do, and the chances that a malicious friend (or friend of a friend) might ask to pop their device into your laptop, or computer – during a Friday night gathering, house party, or even summer barbecue – is not particularly unlikely.
“Using something like an e-cigarette to download something larger from the Internet would be possible.”
According to Bevington, the amount of space available on the average e-cigarette is way too small for malware as dangerous as Wannacypt0r to be preloaded onto it. However, a cybercriminal could unleash malware onto a computer from an e-cigarette that allows the hacker to later use a Command and Control (C&C) server to deliver more powerful exploits onto the computer. This could include a keylogger, which could then be used to steal passwords and credit card details.
In 2014, evidence emerged of e-cigarettes being used to spread malware. On that occasion, the executive of a firm suffered a security breach on a computer that was fully up to date with anti-virus and all the latest security patches. Despite this, malware made it onto his computer.
On that occasion, no evidence could be found of a successful phishing campaign. However, it was revealed that the exec had recently switched to smoking an e-cigarette made in China, and it was that device that had caused the infection.
Rik Ferguson, from Trend Micro, has previously gone on the record warning people about this type of mass-produced malware danger:
“Production line malware has been around for a few years, infecting photo frames, MP3 players and more.”
In 2008, for instance, a photo frame produced by Samsung shipped with malware on the product’s install disc.
For businesses, this signals a massive danger. In particular, because although a memory device will announce itself when plugged into a USB port, a keyboard will not. It is for this reason, that an e-cigarette’s (or any other USB device’s) ability to mimic a keyboard or mouse could allow it to deliver its payload discreetly.
This possibility is further supported by research conducted at SRLabs, which discovered that USB peripherals can be made unstoppable in certain circumstances. For businesses with large offices and networks, the possibility that one employee could cause widespread infection within a network by simply charging their dinnertime smoke is a cause for concern.
Perhaps the best solution is to make sure you never charge an e-cigarette in a computer. USB chargers that plug directly into the wall remove the possibility of infecting a computer. For enterprise, a total ban on charging USB devices in company machines would seem adequate. After all, the risks posed by infected USB devices are real – and are only set to become more complex over time.
Another option is to use a USB condom: a device that disables the data pins of a peripheral USB device, allowing only power to be drawn from the host. Finally, refraining from purchasing second hand, unbranded, or highly modified devices from eBay, is preferable. And whatever you do, don’t let your brother’s weird friend, who has tagged along for the afternoon, charge his smoke in your PC…. you have been warned.
Opinions are the writer’s own.
Title image credit: RPM.Photo/Shutterstock.com
Image credits: Screenshot of exploit video from Twitter, Hazem.m.kamal/Shutterstock.com, USB Condom image from int3.cc/products/usbcondoms.