If you’re concerned with the security of your electronic devices, don’t charge your friend’s vaporizer, or at least that’s the conclusion reached by security researchers examining the security of electronic cigarettes.
In a presentation at BSides London, researcher Ross Bevington reportedly demonstrated how to use an e-cig to launch attacks against computer systems.
Separately, another researcher who goes by the alias Fouroctets shared a video demonstrating a proof-of-concept attack in which a vaporizer pen is used to launch attacks against a laptop.
What are the similarities between these attacks? A vaporizer plugged into the device. Once the vape is plugged in to charge, the USB connection used to charge it provides a conduit to the computer. It is this conduit, the USB connection, that serves as the attack vector. By leveraging it, the aforementioned security researchers have managed to demonstrate how it can be used to turn a vaporizer into a cyber security threat.
In the case of Fouroctets, he told Sky News that he had essentially hacked the vape pen by integrating a hardware chip that allowed to communicate with his computer as if it were a peripheral device such as a mouse or keyboard and then loaded it with a script that he had written in advance. The script, which he claims could have been malicious in nature, prompted his computer to open up the Notepad application, a text editing application available on the Windows operating system. Once open, it typed out the message: “Do you even vape bro!!!!”
With potential for nefarious hackers to do something more sinister than open up a text editor and display a message, security researchers are cautioning those who would otherwise recklessly plug another’s USB enabled device, be it a vape, into their machine, as doing so could result in their machine being hacked.
“In all cases, be wary if someone wants to plug something into your machine.”
Mr. Bevington was quoted by Sky News as having said to “be wary if someone wants to plug something into your machine.”