Will Your Mod Give You Malware? The Myth Returns
In late 2014, a story from Reddit ended up plastered all over the internet, with reputable news sites warning vapers that you can get malware from your e-cigarette. The story was quickly dismantled by vapers, from the dubious source of the story – who didn’t have any details beyond the likely copied-and-pasted text – right through to the plausibility of the approach and whether or not it would even be worth it.
But in the world of vaping, no piece of potentially fear-inducing news can be left to die. Thanks to security researcher Ross Bevington and an anonymous hacker, the “your e-cig will give you malware” story is back for another round.
But although the story may have returned, it hasn’t got much more credible over the past few years. Here’s why you don’t have to worry about your mod giving you malware.
The Tales From Tech Support E-Cig Malware Scare
Before we get on to the new version of the story, we should recap what happened the first time around. In November 2014, a redditor who goes by Jrockilla posted a story to TalesFromTechSupport about an executive whose computer was infected with malware, but no clear source could be identified. After some investigation, it was supposedly found that the USB charger for his e-cig (which the stories always point out was Chinese-made) had malware hardcoded into it.
People in the comment thread pressed the poster for more information about the type of charger and other details, but he couldn’t answer the questions, at one point explaining “it is just a story.” In other words, there is no hard evidence that this even happened at all.
James Dunworth at the Ashtray Blog looked at the story in detail, and spoke to e-cigarette and internet security experts, who acknowledged that it would be possible but stressed that it would be a lot of work for very little reward.
But when the media found out about it, the unverifiable and unlikely story quickly took on a life of its own and was spread across the internet regardless.
The Myth Returns: Proofs of the Concept, No Proof It’s Happening
Almost three years later, the myth has returned. Ross Bevington gave a talk at BSides London where he showed that an e-cigarette can be modified to either fool your computer into thinking it’s a keyboard or mess with your network traffic. While you can’t do this to a locked laptop, similar approaches don’t have that setback.
A more lighthearted addition to the story is another proof-of-concept type stunt from a researcher and hacker called FourOctets. He opened up a mod, added a chip and wrote a little bit of code so that computers would recognize it as a keyboard or a mouse. He originally did it as a joke, making it so that when the mod was plugged into a computer, it opened Notepad and wrote “DO U EVEN VAPE BRO!!!!!”
But of course it if someone really wanted to, they could use a similar approach to set up a mod to do something more dangerous when you plug it in, like download malicious programs.
Why You Shouldn’t Be Worried About Malware From Your Mod
As these stories show, it is possible that a mod could be used to tamper with your computer, but “possible” is a far cry from “actually happening.” Like the older story, there are many reasons that this type of attack just isn’t especially likely.
Nearly Three Years Later: Still No Real-World Examples
The biggest issue with the story is that there are still no examples of this actually happening in the real world. The TalesFromTechSupport story is the closest thing that we have, but this is an anonymous story posted to Reddit. That doesn’t mean that it’s not true, but it’s hardly a ringing endorsement that the story is the real deal.
We need to remember that this story was posted in November 2014. After over two and a half years, there isn’t a single verified example for the media to parade around. E-cigarettes have continued to gain popularity, so there are more potential targets than ever for a hacker. And the idea itself has been out on the internet, just waiting to be used, all this time. Either it really has happened but somehow nobody has heard anything about it (despite millions of vapers around the world), or the hackers just don’t really think it’s that good an idea.
Despite all this, we’re now seeing misleadingly-bold headlines like “Hackers Use E-Cigarettes To Transmit Malware” cropping up day by day.
How Much Code Can You Fit On a Mod?
One big problem acknowledged by the news stories is that there isn’t actually much storage space to work with on an e-cigarette. Ross Bevington, who gave the talk that spawned the recent stories, commented that:
This puts limitations on how elaborate a real attack could be made. The WannaCry malware for instance was 4-5MB, hundreds of times larger than the space on an e-cigarette.
Although he does stress that the e-cig could be set up to download a larger file that could do more harm to your computer.
John Hawes, the security expert the Ashtray Blog spoke to when the original story emerged, had similar reservations about how much you could really do with an e-cig or a charger:
From a technical point of view it’s not entirely impossible. Someone could feasibly (just about) doctor an adaptor (or battery in the case of those which just have a micro-USB socket on them) and pre-load it with malware, but given the size of most of them it would be quite a task, and the returns would be minimal.
The bottom line is that mods aren’t the best choice if you’re looking for a USB device to transmit a virus to somebody’s computer. If only there were other USB devices which could be exploited in the same way…
Malware Threats Don’t Just Come from Your Mod
Of course there are tons of USB devices that can be used in the same way, including ordinary USB thumb drives and your cell phone. Even digital picture frames have been involved in malware infections.
This all raises the question: why all the focus on e-cigarettes? Proof of concepts with USB thumb drives have gone a lot further than the e-cigarette example did, too. For example, one masquerades as an ordinary storage device, but actually emulates a keyboard and has a hidden drive containing a simple Linux operating system. If you restart your computer with this plugged in, it goes into your BIOS, boots up the operating system and infects your computer with a boot virus from there. Try doing all that with a modified iStick.
Most USB Charging Cables Are Immune From the Issue
Most of the time, any attempt to use a mod to transmit malware would be stopped by the charging cable itself. USB connections only have one pin each for power and ground, and two for data. In most cases there are only wires connected for the power and ground. Without the data wires, the cable simply can’t be used to transmit any information that could lead to your computer getting malware. When the Ashtray Blog cut open USB charging cables used for e-cigarettes, none of them had data cables even connected.
Of course this isn’t the case for every e-cigarette charger. In fact, if your mod has updatable firmware, there will be a data connection that could be exploited in the USB cable. However, this still would require somebody to actually modify the device you’re using. Again, the plausibility of this as an approach is questionable at best.
Would the Factory Infect Your Device?
If you were intent on spreading malware through a mod, rather than using a less expensive and labor-intensive method that would probably result in a bigger payoff, the best way to do it would be to hardcode the malware in at the factory.
This is completely possible, of course, but the question is why? The factory will either be owned by an e-cigarette company or will sell to them, and those products eventually go out to customers. Imagine the uproar if a new batch of mods from one specific company gave everybody who plugged it in a virus. Vapers would be furious and the company would undoubtedly lose custom for either being purposefully malicious or for being careless enough to let it happen. If the problem was traced back to the factory, then people there would stand to lose a lot more than they’d be likely to gain by infecting e-cigarettes.
I’m sure there are less reputable manufacturers out there who might not worry too much about upsetting their customers, but it’s obvious that any respectable company simply wouldn’t risk losing customers by shipping out virus-infected mods, especially with so little guarantee it would work.
Would a Friend Infect Your Computer?
So if the issue probably wouldn’t come from the factory that made the mod, it would be down to individuals like FourOctets to put the malicious code onto the e-cigarette manually. Again, this could definitely happen, and the new stories prove this.
But yet again it seems unlikely to work in reality. You probably wouldn’t have access to someone else’s mod for long enough to set something like this up. So it would realistically have to be your own device, which you then ask to charge using somebody else’s computer.
Maybe I’m unusual here, but the only people who would even ask to use the USB port on my computer are people I know pretty well. Perhaps if you were having a party and a friend of a friend or a gatecrasher asked to use the USB port on your computer, it would be possible, but the situation seems pretty unlikely.
If you’re like most people and don’t just let random strangers plug things into your computer’s USB port, there aren’t many ways this could even come up. And almost all of them involve you having some seriously bad friends.
Why Would Anybody Try to Spread Malware Through Mods?
By far the biggest issue is why anybody would try to spread a virus in such an inefficient way. When you could easily reach millions of potential victims by email, would you really spend all the time getting a trimmed-down version of a virus into a mod and hoping everything works out as you planned? And if you really wanted to use a USB device – for whatever reason – why would you choose an e-cigarette rather than something more widely-used and fit for the purpose?
The Very Simple Solution to Malware Infected Mods
If you needed any more reason to be unconcerned about this whole story, it’s actually incredibly easy to avoid malware infections from your mod. All you have to do is charge your mod using a wall socket instead of your computer. Then even if there was a virus coded into your mod (which there almost certainly isn’t) it would accomplish nothing whatsoever. If someone you don’t know asks to charge something over USB, give them a USB wall adapter to use instead of your laptop.
The “E-Cigarettes Give You Malware” Myth Needs to Die
So putting all of this together, it’s clear that there is next to no risk of your e-cigarette being used to infect your computer with malware. It’s taken almost three years to go from unverified online anecdote to some less-than-impressive proofs of concept, and in all of this time there have been no reports at all of anything like this actually happening. And even if it was an issue, avoiding the risk entirely is laughably simple.
The idea that your mod will give you malware might get a lot of traction in the news, but it’s not much of a surprise we’re yet to see verified examples of this happening in the real world.