In The News‎ > ‎

E-Cigarettes infecting computers?

posted Dec 8, 2014, 8:26 AM by Craig Cox   [ updated Dec 8, 2014, 8:27 AM ]
Well, maybe.  The jury is still out on this one.

The Guardian reports that a computer belonging to an unnamed executive at an unnamed company was infected by malicious software from an unnamed brand of Chinese-manufactured e-cigarette charger.  Instead of plugging the charger into the wall, he used the USB power from his computer.

Tracing back to the original Reddit discussion, however, you find a great deal of skepticism.  Why have we not heard so much as the brand name of the e-cigarette?  If you're going to spread the word, at least state which brand should be recalled.  How do we know that it wasn't just a case of someone on the assembly line unknowingly getting / spreading an infection?  Why would a company spend money on the electronics needed to infect a computer, when a straight power cord is much cheaper to manufacture?  Is the return on investment going to be that good?  Sure, the compromised computers can monetized, but the company reputation is destroyed.

There is certainly a lot of potential for abuse of USB.  The USB standard more or less calls on computers to trust USB devices to identify themselves accurately.  So if someone connects an ordinary USB mouse, and it tells the computer it's a mouse, all is well; but if the mouse chassis holds more than just a mouse, the computer will accommodate that as well.  Specialty hacking thumb drives are available online, which identify as keyboards -- typing in pre-set commands as soon as they're plugged in and recognized.

So if there is a danger, what should we do?
For devices that just need power and nothing else, use the wall charger; or use a special device in which the data wires in the USB cable have been either shorted or removed.  For devices that have to interact with the computer, avoid underpriced knockoff merchandise, free samples, or found devices.  Anything that seems too good to be true may have hidden strings attached.

And of course, keep your antivirus software up to date.  AV won't solve all of the problems of a sophisticated USB attack, but it's still a basic defensive necessity.