Electronic cigarettes are, arguably, much better for your health than the real thing – they don’t contain tobacco – but they may contain surprises.
According to a post by Jrockilla, an “IT guy” on the Talesfromtechsupport forum, an e-cigarette belonging to his boss may have come packaged with a USB charger preloaded with malware.
Jrockilla wrote how an executive at a large corporation found malware on his computer and that the source of the infection could not be determined. After the IT department looked at all the obvious routes of entry and poured over the web logs it started looking into the less than obvious alternative points of access for the malware.
When the executive was asked whether there had been any changes of note in his life recently he said he had quit smoking a fortnight previously and switched to e-cigarettes.
Jrockilla wrote how “that was the answer they were looking for, the made in china e-cigarette had malware hard coded into the charger and when plugged into a computer’s USB port the malware phoned home and infected the system.”
When the post made its way onto Reddit it picked up well over 300 comments with most doubting the veracity of the tale. Many Redditers commented how they had taken e-cig chargers apart or seen pictures of them and noted that they did not contain USB microcontroller chips or data wires and were, simply, designed for what they were intended – a means of charging an e-cigarette.
Others pointed out how AutoRun – the bane of administrators and security personnel for far too many years – would not automatically run any malware on the charger without prompting the user first (assuming they were using a modern operating system).
Even so, the story may be true, even if it is at best likely to be a one-off or limited case. Rik Ferguson, Trend Micro’s Vice President of security research and author of the company’s countermeasures blog, told The Guardian that:
“Production line malware has been around for a few years, infecting photo frames, MP3 players and more.”
Combine that with newly discovered malware such as BadUSB – which proves it is at least possible to reprogram USB devices at the hardware level – and you can see the potential for abuse by criminals and other attackers.
So how can you counter the risk and should you even be concerned at all?
The risk of e-cigarette infection appears to be ridiculously small right now and there is in fact no confirmation that Jrockilla’s story is true in the first place. But that’s not to say that no-one will attempt to transfer malware in this manner in the future so you need to be wary.
If you are advised to only buy e-cigarettes or, more specifically, chargers from certain manufacturers then think things through carefully – many consumer electronic items are manufactured in a limited number of factories in a limited number of countries and then rebadged for different retailers – so that strategy may not yield any guarantees whatsoever.
Instead it would be far better to look at the business end of the charging process – the PC or other device into which the charger is plugged.
So, ensure that all your security and other software is fully patched and up to date and, if you have particularly sensitive data on your device, or are particularly paranoid about this type of attack, consider disabling your USB ports altogether or employing some form of device management to block unauthorised devices from being used.