E-cigarettes have become the latest vector for hackers to distribute malicious software. E-cigarettes manufactured in China are reportedly being used to spread malware via a USB port to computers when users plug in for charging it up.
The report broke when an executive at a "large corporation" had been infected with malware from an undetermined source after he quit smoking and switched to e-cigarettes made in China, detailed a recent post to social news forum Reddit.
Further investigating the matter, he found that the chargers of the e-cigarettes - bought from the online auction site eBay for $5 - are hard-coded with the malware that infected his workstation despite having latest virus and anti malware programs installed.
"The executive's system was patched up to date, had antivirus and anti-malware protection," Reddit user Jrockilla said. "Web logs were scoured and all attempts made to identify the source of the infection but to no avail."
"Finally after all traditional means of infection were covered, IT started looking into other possibilities. They finally asked the executive: 'Have there been any changes in your life recently?' The executive answered: 'Well yes, I quit smoking two weeks ago and switched to e-cigarettes.' And that was the answer they were looking for."
"Hackers are able to exploit any electronic device to serve malware to a poorly protected network," Pierluigi Paganini, chief information security officer at ID management firm, said in a blog post. "Despite the [fact the] idea could appear hilarious, many electronic cigarettes can be charged over USB using a special cable or by inserting one end of the cigarette directly into a USB port."
The idea is similar to the BadUSB, whose source code was released by the researchers last month on the open source code hosting website Github. BadUSB was capable to spread itself by hiding in the firmware meant to control the ways in which USB devices connect to computers. Ferguson explained that "a very strong case can be made for enterprises disabling USB ports, or at least using device management to allow only authorised devices."