Yet more evidence that smoking is bad for you: A brand of e-cigarettes manufactured in China, has been found to carry malicious software that can be implanted into a computer when plugged into a USB port for recharging.
E-cigarettes are in actual fact, electronic vaporizers that heat a liquid solution into an aerosol mist that offers the sensation, nicotine and flavorings of tobacco cigarettes, supposedly without its harmful effects, although being a new technology, its risks as a nicotine replacement product are as yet largely uncertain. The heating element can be charged through a computer’s USB port, and this is where the malware was released.
The story, detailed on Reddit, points out that an executive at a “large corporation” found his computer had been infected with malware from an undetermined source. An extensive IT scouring showed his computer’s antivirus and anti-malware protection was fully up-to-date, and it was only after he was questioned about recent changes to his lifestyle that mention of the e-cigarettes was made. They had been purchased on eBay for $5.
A report from The Hacker News quotes Trend Micro security consultant Rik Ferguson as saying, “Production line malware has been around for a few years, infecting photo frames, MP3 players and more.” The report goes on to highlight how in 2008, a photo frame produced by Samsung shipped with malware on the product’s install disc.
Although these incidences are reasonably rare, they highlight a permanent reality that hackers are constantly searching for ways to exploit any electronic device to serve Malware to a poorly protected network, and USB ports become one of those overlooked areas – a simple charging or connection port that for most users has a limited, yet convenient function.
The Hacker News article describes the malware app BadUSB that was recently able to “spread itself by hiding in the firmware meant to control the ways in which USB devices connect to computers.” Rik Ferguson is quoted as suggesting “a very strong case can be made for enterprises disabling USB ports, or at least using device management to allow only authorised devices.”
By Steve Prentice