Although this malware injecting technique was discovered several years ago, it has now become more than a rare occurrence. The vulnerability is hidden in the rechargeable lithium-ion battery that most e-cigs come with. In most occurrences, the e-cig will plug directly into a computer’s USB port for charging.
Despite a ginormous realm of remote hacking possibilities – from 1 GB thumb-drives to specifically designed tools – the e-cig tactic does have its hacker benefits. Consider the social engineering aspect: someone asks you to charge their e-cig using your computer’s USB port.
Are you going to automatically think their e-cig holds malware? Hell no . . . chances are you won’t even know it’s a possibility. Because of this subtle breech in trust, the e-cig malware is almost always successful in execution. Coupled with an easy set-up, it’s no wonder why this vulnerability is spreading rapidly.
PC Mag discusses a recent e-cig malware presentation given by security researcher, Ross Bevington,
“Ross Bevington recently demonstrated how to hack a PC with a vape pen during a presentation at BSides London. Bevington showed how a modified e-cigarette, once plugged into a computer to be charged via USB, could attack the machine by interfering with its network traffic or masquerading as a keyboard.”
USB infested malware is becoming a regular occurrence. Whether it’s spreading via e-cig or thumb-drive doesn’t matter because the outcome is the same. USB-based attacks can execute something as simple as a key logger. They can also execute something as big as frying an entire motherboard of the targeted device.
There is an easy way to avoid this danger: don’t plug unfamiliar devices into your PC. While this should be commonsense, too many people are eager to be kind. Being kind gets you nowhere in today’s society.
If someone asks to charge their device using your laptop, tell them you charge 50$ a minute. If they still bite and still infect your computer, at least you can go out and buy a new one.