It’s been a rough few months for the embattled e-cigarette industry. Although intended to be a safer alternative to tobacco, the devices have been under attack by regulators in the US and Europe who have expressed health concerns about the nicotine-enriched liquid used. And now, there’s a new worry surrounding them that nobody expected.
Your e-cigarette might be harmful to your computer’s health.
Most electronic cigarettes contain a rechargeable lithium-ion battery which is replenished via a USB connection. That could be from a wall-socket, or, critically, from a computer.
There have, however, been reports of some people having their computers infected with malware as a result of connecting their e-cigarettes. According to a post on social news website Reddit, an unnamed large corporation suffered a data breach due to one executive’s penchant for e-smokes.
“One particular executive had a malware infection on his computer from which the source could not be determined”, the user, Jrockilla, wrote. After a long investigation our pseudonymous IT employee started looking into other possibilities.
“The e-cigarette had malware hard coded into the charger and when plugged into a computer’s USB port the malware phoned home and infected the system.”
It’s impossible to tell whether this story is true or not but it does raise an interesting question: can that $5 gadget you bought off eBay damage your computer? And if so, how can you protect yourself?
Despite what you might expect, it’s not unheard of for electronic devices to leave the factory with malicious software installed.
What is even more surprising is that it’s not limited to fly-by-night electronics manufacturers producing cheap knock-offs. There’s a startling number of household names who’ve found themselves in the awkward position of having accidentally shipped malware with their products. Just ask Apple.
In October, 2006, they were left red-faced after it transpired some Video iPods had been sold with ‘RavMonE.exe‘ present on their internal storage. This is a variant of the RJump family of malware which, when executed on a Windows-based computer, opens a back-door that would allow an attacker to gain remote access to the infected machine.
It’s hard to tell how the infection occurred, but experts believe it happened, ironically, during the process of quality assurance testing. In an interview given at the time, then Sophos employee Graham Cluey said “It’s most likely that some of the Video iPods were plugged into a Windows PC for testing purposes at Apple’s Chinese-based contractor’s manufacturing plant”.
Two years later in 2008, Samsung found themselves in a similar position when one of their digital picture frames shipped with a keylogger infected driver install disk. Much like the Video iPod, it is believed the malware crept in during the manufacturing process.
And earlier this year, we learned about BadUSB — a seemingly unstoppable security flaw found in nearly all USB devices. This vulnerability is incredibly difficult to defend against, and could see malware being distributed via the firmware of USB devices.
It’s important to remember that most malware infections happen as a result of user activity, be that clicking on a malicious advert, or downloading something they probably shouldn’t. Yet, time and again we’ve seen that it’s possible for infections to happen as a result of manufacturer negligence.
How Can I Protect Myself?
Protecting yourself against rogue USB devices is easier than it sounds.
Firstly, where possible, you should try to avoid plugging untrusted devices into your computer. This is already common knowledge when it comes to flash drives, especially in corporate environments where there are serious concerns when it comes to data exfiltration. Unfortunately, the same awareness doesn’t quite exist when it comes to other USB-powered gadgets.
The only sure-fire way to protect yourself is to avoid plugging stuff into your computer unless you can absolutely vouch for it. Ideally you should use a wall charger. However, if this isn’t an option, you can always use a charge-only USB adaptor.
These work just like standard USB cables, but with one key difference: the data cables have been snipped, meaning it only allows power to pass through. You can get your hands on one of these cables on Amazon. They’re cheap too, with most retailing for only a few dollars, and could mean the difference between having a clean, secure computer, and a virus-laden nightmare.
Prevention Is Better Than Cure
For e-smokers, The Guardian’s coverage of this story has came with some helpful advice:
Dave Goss, of London’s Vape Emporium, says that vapers can remain safe by buying from respected manufacturers such as Aspire, KangerTech and Innokin, and by checking for “scratch checkers” on the box, which mark out authentic goods from counterfeits.
For everyone else, the advice is the same. Be wary of no-name or counterfeit electronics. Ensure your computer is patched and updated, and runs an up-to-date anti-virus package. And if you don’t trust it, don’t plug it into your computer.
Ever had your computer infected as a result of a USB device? I want to hear about it. Drop me a comment below and we’ll talk.