So-called electronic cigarettes (e-cigarettes) have become increasingly popular over the past few years, as the number of people who smoke traditional cigarettes in the United States has continued to decline. Proponents of e-cigarettes have argued that they can help people stop smoking (and I’m personally friends with one former smoker who used e-cigarettes as a stepping stone to quitting nicotine altogether). Proponents also say they’re less dangerous than conventional tobacco.
Others have argued that the aerosolized fluid that e-cigarettes create can create health issues of its own. A number of businesses prohibit vaping along with smoking. Now, security researchers have demonstrated e-cigarettes can be used as a potential attack vector against PCs and laptops. It’s 10 PM. Do you know where your desktop is?
Researcher Ross Bevington gave a presentation at BSides London this week, showing how an e-cigarette could be used to attack a system. Rechargeable e-cigarettes often feature a USB port to allow them to be plugged in and recharged from a laptop or desktop, rather than keeping the end user tethered to a wall wart. But this allows them to be outfitted with additional hardware in the device — hardware that can be used to automatically execute commands when plugged into a PC, thanks to Autoplay. Another hacker, FourOctets, has created a video of how this kind of attack can work, embedded below.
Sorry if I get vape pens banned at your work place…… pic.twitter.com/VYhIIvyDEx
— Will buy derby tickt (@FourOctets) May 25, 2017
In this case, the script was harmless, displaying “Do you even vape bro!!!!” It’s not hard to see how this kind of attack could rapidly escalate from amusing into not-so-amusing territory, and research has shown that most of us will happily pick up a strange USB drive off the ground and plug it into the closest computer to see what it might contain — even though that’s an excellent way to get one’s equipment fried.
FourOctets showed Sky News a demo that could order a computer to download a malicious runtime, though capabilities like User Account Control (UAC) baked into Windows 10 should at least ask the user if they want to execute a downloaded EXE file before actually doing it. Then again, this assumes that end users are aware of the dangers of said files and pay attention to UAC messages before clicking OK.
I can’t help wondering if the e-cig hack couldn’t be paired with a USB Kill Drive to create something that looks like an e-cigarette, but promptly fries the machine it’s plugged into. I can’t think of any reason why not, which is why our headline for this story is a bit (but not entirely) tongue-in-cheek.