Giving up smoking is a good thing to do, but e-cigarettes and vaping present a whole new set of dangers: The smoking-cessation aids can actually be used to hack computers.
Security researcher Ross Bevington showcased a presentation at BSides London, reported by Sky News, that revealed how an e-cigarette could be used to intercept network traffic or control the computer by making it think the e-cig is a keyboard.
Many e-cigarettes can be charged over USB, and Bevington said that takes just a few simple tweaks to the vaporizer to turn it into a weapon that can download malicious payloads from the web.
The situation is further proof that a connected-everything world presents staggering cybersecurity ramifications, according to Cesare Garlarti, chief security strategist at prpl Foundation.
"The security of the internet of things is fundamentally broken,” he said over email. “Developers and manufacturers understandably are eager to get their new high-tech devices to market, and unfortunately often overlook security. Interoperable open standards are the key requirement if we’re to improve IoT security even in the smallest of connected devices—they will reduce that complexity by effectively outsourcing the trickiest security work to the subject-matter experts."
A saving grace is that e-cigs don’t have that much memory, so complex code is a no-go. “This puts limitations on how elaborate a real attack could be made,” said Bevington, speaking to Sky News. “The WannaCry malware for instance was 4 to 5 MB, hundreds of times larger than the space on an e-cigarette. That being said, using something like an e-cigarette to download something larger from the internet would be possible.”
Many enterprises today block the use of USB ports, which would prevent an attack like this—but some do not, so users should beware.
"Last year the University of Illinois and University of Michigan published research that showed if a hacker deliberately dropped a USB stick (which could have malware on it) there was a 50% chance that someone would pick it up and plug it into a computer,” said Adam Brown, manager of security solutions at Synopsys, via email. “As Bevington's recent research shows, a vape pipe could easily be modified to work as any kind of peripheral device when plugged in, and so could be used in a similar way to either deliver a payload or perform some other malicious activity while plugged in. Potentially, a vape pipe given away would very likely end up plugged into a computer for charging and so would be an effective device for a targeted attack on a known vaper.”
He added, “health risks to the body from vaping may not be fully known; however, it seems the health risks to your information or cybersecurity could be disastrous."