NEWS

USB Charging E-cigarettes Could Cause Malware Infection

It has become commonplace for people to switch to e-cigarettes in an attempt to curb the harm to their health that smoking causes. Vaping has become incredibly trendy, allowing people to enjoy a realistic smoking experience with a massive variety of flavors. In places such as the UK – where there is a total ban on smoking in (indoor) public places – this allows people to continue with their vice without the risk of incurring a fine under the smoking ban.

Now, however, new evidence has emerged that e-cigarettes may be causing an entirely different kind of damage to their users’ health, namely their digital health. Saving their bodies from cancer is a great priority, but e-cigarette smokers may be shocked to find out that it is possible to hide malware on a vaping device.

The latest discovery was made by a security researcher called Ross Bevington, who spoke at the B-Sides London security convention last week. During that talk, the UK-based researcher revealed just how easy it is to modify a device so that it can infect its user’s computer.

Get a VPN service today

A VPN is the best personal cybersecurity product on the market

Unblock any website with a VPN today

Attack Vector

The problem arises from the ability to charge an e-cigarette’s lithium ion battery via a USB port. This gives the innocuous device a direct method for infecting a computer with malware. According to Bevington, the modified vape cigarette could be used to fool a computer into thinking it is a keyboard, or even a mouse.

More worryingly, according to the security researcher, a vape pen could be used to monitor people’s network traffic, theoretically allowing a hacker to steal usernames, logins, passwords, and even credit card details.

Although the risks are small (because the malware has to get onto the device in the first place in order to infect a computer) there is a risk of infection for people who buy an e-cigarette second hand, or from a deep web vendor. In addition, even on eBay, there are a number of vendors selling powerful modified and home made e-cigarettes.

Screenshot of modified e-cig delivering a message while charging

For cybercriminals who want to spread malware, this provides an easy method for malware dissemination, and it is not just the e-cig owner’s computer that could fall prey. Hackers comprehend that the simple act of charging a vape device while at a friend’s house could lead to multiple victims for them to target.

The Malicious Friend

Perhaps the biggest danger comes in the form of a tech savvy friend with malicious intent. Modifying an e-cigarette is not a difficult thing to do, and the chances that a malicious friend (or friend of a friend) might ask to pop their device into your laptop, or computer – during a Friday night gathering, house party, or even summer barbecue – is not particularly unlikely.

“Using something like an e-cigarette to download something larger from the Internet would be possible.”

According to Bevington, the amount of space available on the average e-cigarette is way too small for malware as dangerous as Wannacypt0r to be preloaded onto it. However, a cybercriminal could unleash malware onto a computer from an e-cigarette that allows the hacker to later use a Command and Control (C&C) server to deliver more powerful exploits onto the computer. This could include a keylogger, which could then be used to steal passwords and credit card details.

Previous Attacks

In 2014, evidence emerged of e-cigarettes being used to spread malware. On that occasion, the executive of a firm suffered a security breach on a computer that was fully up to date with anti-virus and all the latest security patches. Despite this, malware made it onto his computer.

On that occasion, no evidence could be found of a successful phishing campaign. However, it was revealed that the exec had recently switched to smoking an e-cigarette made in China, and it was that device that had caused the infection.

Rik Ferguson, from Trend Micro, has previously gone on the record warning people about this type of mass-produced malware danger:

“Production line malware has been around for a few years, infecting photo frames, MP3 players and more.”

In 2008, for instance, a photo frame produced by Samsung shipped with malware on the product’s install disc.

For businesses, this signals a massive danger. In particular, because although a memory device will announce itself when plugged into a USB port, a keyboard will not. It is for this reason, that an e-cigarette’s (or any other USB device’s) ability to mimic a keyboard or mouse could allow it to deliver its payload discreetly.

This possibility is further supported by research conducted at SRLabs, which discovered that USB peripherals can be made unstoppable in certain circumstances. For businesses with large offices and networks, the possibility that one employee could cause widespread infection within a network by simply charging their dinnertime smoke is a cause for concern.

Possible Solutions?

Perhaps the best solution is to make sure you never charge an e-cigarette in a computer. USB chargers that plug directly into the wall remove the possibility of infecting a computer. For enterprise, a total ban on charging USB devices in company machines would seem adequate. After all, the risks posed by infected USB devices are real – and are only set to become more complex over time.

Another option is to use a USB condom: a device that disables the data pins of a peripheral USB device, allowing only power to be drawn from the host. Finally, refraining from purchasing second hand, unbranded, or highly modified devices from eBay, is preferable. And whatever you do, don’t let your brother’s weird friend, who has tagged along for the afternoon, charge his smoke in your PC…. you have been warned.

Opinions are the writer’s own.

Title image credit: RPM.Photo/Shutterstock.com

Image credits: Screenshot of exploit video from Twitter, Hazem.m.kamal/Shutterstock.com, USB Condom image from int3.cc/products/usbcondoms.


Ray Walsh I am a freelance journalist and blogger from England. I am highly interested in politics and in particular the subject of IR. I am an advocate for freedom of speech, equality, and personal privacy. On a more personal level I like to stay active, love snowboarding, swimming and cycling, enjoy seafood, and love to listen to trap music.

Related Coverage

More

2 responses to “USB Charging E-cigarettes Could Cause Malware Infection

  1. I see a lot of ‘could’ statements, but this applies to any USB device, not just vapes (e-cigs). Any USB device that has firmware and also plugs in for interaction or for recharging could be used for the same purpose. Haven’t heard of it happening and a company doing so would be outed very quickly.

    Could be a media streaming device, a GPS, the list is long. Heck, release a modem/router with compromised firmware and have direct access to the network it services!

    As for a company blocking staff from recharging their vapes . . . if they haven’t already blocked staff from plugging in USB devices they are already asking for it. One infected USB storage stick to load a few pictures to brighten a users desktop with snaps of the kids and they are gone! SOP for good IT says disable users abilities to connect anything to a work PC. Charging devices can be done in so many ways a network connected company PC isn’t needed.

    I don’t believe that it is much of a problem. My question (as a user of e-cigs) is why that particular device and not others? What is the non-smoking world’s problem with vaping when it doesn’t affect them?

    1. No one has a problem with smoking or vaping at BestVPN.com. This was simply an article about vape pens that can be used to infect computers. Due to the fact that they can be plugged into computers during relatively innocent social encounters this makes them a possible rout for infection. This article is to raise awareness of the research surrounding infection by these products. Yes other USB devices can, of course, be used to spread malware. This article, however, was about vape pens – which are perhaps less understood to be a problem.

      Although the danger may be small, it exists, and it is our job at BestVPN.com to make people aware of these types of issues. For the most part, responsibly sourcing vape pens will be enough to keep you away from the risk posed by these products, and, as you say, it is easy enough to charge them outside of a computer. Beyond that, deciding whether you want other people to charge their e-cig devices in your machines (if they happen to be at your house and only have a USB charger with them) is up to you.

Leave a Reply

Your email address will not be published. Required fields are marked *