Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Sunday June 18, @11:43AM   Printer-friendly
from the another-USB-exploit dept.

While the most common methods used for hacking are DDoS attack, ransomware, phishing, virus, Trojan, keylogger, ClickJacking attacks, etc., hackers are now looking to modify e-cigarettes into tools to hack into computers:

To explain this, security researcher Ross Bevington showcased a presentation at BSides London that revealed how an e-cigarette could be used to attack a computer either by interfering with its network traffic or by deceiving the computer to make it believe that it was a keyboard.

[...] Many e-cigarettes can be charged over USB, either with a special cable, or by plugging the cigarette itself directly into a USB port on a computer, security researchers warn that your computer could actually be compromised by the simple act of charging a vape pen with just a few simple tweaks to the vaporizer.

[...] While e-cigarettes could be used to provide malicious payloads to machines, there is typically very little space available on them to host this code.

"This puts limitations on how elaborate a real attack could be made," said Mr Bevington.

"The WannaCry malware for instance was 4-5 MB, hundreds of times larger than the space on an e-cigarette. That being said, using something like an e-cigarette to download something larger from the Internet would be possible."

Previously: E-Cigarettes are Bad for the Health — Of Your Computer


Original Submission

Related Stories

E-Cigarettes are Bad for the Health — Of Your Computer 82 comments

The Guardian features a story about e-cigarettes carrying some malware, infecting computers used to charge them. Though not entirely surprising when you actually think about it, personally I'd not have expected non-computerized devices which just happen to have micro-usb charger socket to pose a threat to IT security.

From the article:

“The made in China e-cigarette had malware hardcoded into the charger, and when plugged into a computer’s USB port the malware phoned home and infected the system.”

Later the article references some low-level attacks might be used to reprogram USB chips on devices, letting them act as USB keyboards issuing commands on the behalf of the logged in user, etc.

Display Options Threshold/Breakthrough

Reply to Article

Mark All as Read

Mark All as Unread

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 1, Informative) by Anonymous Coward on Sunday June 18, @12:02PM (4 children)

    by Anonymous Coward on Sunday June 18, @12:02PM (#527431)

    Don't know if some luxury e-cigarette or i-tte has an embedded controller other than the dumb charger, with zero storage.

    But if you are going through the trouble of modifying them adding extra hardware to talk to USB, then up to 32 MBs of TBGA packaged flash storage good for 8 WanaCries, is straight forward with available COTS.

    Adding GBs of storage I guess just needs some handy work decapping a SD card.

    • (Score: 2) by Runaway1956 on Sunday June 18, @12:57PM (1 child)

      by Runaway1956 (2926) Subscriber Badge on Sunday June 18, @12:57PM (#527438) Journal

      If I have access to a computer which will read a USB, I'll just reach into my pocket, and pull out one of my 64 gig drives. My favorite course of action, is to reboot the computer to my own drive. If the BIOS is locked, and I can't convince the computer that it should boot to USB, then I still dozens of other options.

      So, these hackers have found a solution to a problem, but we need to define what that problem is, exactly. "How do we smuggle hacking tools into an environment where they might be banned?" Now what we have a problem defined, we might find other solutions. I'll bet I can design an ear ring to hide a USB. Or, a belt buckle. No one wears cuff links any more, but that wouldn't be difficult at all. A button on a jacket. Or, a button or zipper pull on one of those ubiquitous back packs - EVERYONE has a back pack, don't they? Oh yeah - tactical pens, capable of killing an attacker if you know how to use it. Just remove the human-lethal component of the pen, and install computer-lethal USB.

      And, I think my solutions are more elegant than carrying a vape thing around with you, which attracts at least as much attention as a pack of cigarettes.

      --
      This broadcast is intended for mature audiences.
      • (Score: 2, Informative) by Anonymous Coward on Sunday June 18, @01:06PM

        by Anonymous Coward on Sunday June 18, @01:06PM (#527441)

        The problem could be: "How to hack a computer on a secure network without physical access." So in this case, the vape wouldn't be your own, but belong to someone who does have access.

    • (Score: 1) by Pax on Sunday June 18, @02:19PM

      by Pax (5056) on Sunday June 18, @02:19PM (#527461)

      Don't know if some luxury e-cigarette or i-tte has an embedded controller other than the dumb charger, with zero storage.

      some of the Mods are far more complex than the basic e-cigs you mention. you can flash the firmware on them over usb so modding that might well do the trick

    • (Score: 2) by LoRdTAW on Sunday June 18, @02:54PM

      by LoRdTAW (3755) Subscriber Badge on Sunday June 18, @02:54PM (#527473)

      I knew an IT guy who was big into vaping. His battery thing had a small graphic LCD and a few buttons which besides allowing him to control the current and all that, also played simple games like Tetris. This was a few years ago too. Not too hard to modify that into a device that can attack a computer.

  • (Score: 0, Funny) by Anonymous Coward on Sunday June 18, @01:12PM

    by Anonymous Coward on Sunday June 18, @01:12PM (#527443)

    I wanna hax da plan3t with mah molded cow vagina fleshlight!

  • (Score: 3, Insightful) by maxwell demon on Sunday June 18, @02:05PM

    by maxwell demon (1608) Subscriber Badge on Sunday June 18, @02:05PM (#527456) Journal

    The WannaCry malware for instance was 4-5 MB

    Seems even the malware writers produce serious bloatware these days.

    --
    The Tao of math: The numbers you can count are not the real numbers.
  • (Score: 0) by Anonymous Coward on Sunday June 18, @03:21PM (2 children)

    by Anonymous Coward on Sunday June 18, @03:21PM (#527484)
    I think it's slightly psychologically easier to convince someone to let you charge your phone from their PC than to stick your vape stuff to it. Unless it's one of those exploding Samsungs...

    More people would be sympathetic to your phone addiction than your vape addiction. Plus if you're a non-smoker you might not want to fake a vape addiction.

    FWIW I've used my phone to store patches to bypass USB storage restrictions - had to patch some software but the company security policy blocked USB drives on USB ports, optical drives and blocked zip files.

    A nation state is likely able to modify the phone itself to hack stuff, but in many cases you could probably cheat and mod a phone case instead of the phone ;).

    As such I don't really see the advantages of using e-cigs in most cases. Phones offer so much more flexibility, power and connectivity (mobile data); far more options.

    Maybe a place that forces you to leave your phone at the door would allow you to bring in your vape charger (but after this they might not ;) )... But if they don't you may have to use those tiny usb stuff and hope nobody notices.
    • (Score: 2) by Arik on Sunday June 18, @08:57PM (1 child)

      by Arik (4543) on Sunday June 18, @08:57PM (#527585)
      Really doesn't matter whether it's a phone or a flash drive or an e-cig. All these attacks are the same.

      They should be defeated at the software level, but of course for anyone who has to deal with windows... yeah. It's going to continue doing the most bone-headedly stupid thing it can possibly do (even if you dig into settings and explicitly override, there's a good chance you'll be ignored.)

      But there IS a simple and robust solution to the problem that will work even if you are stuck using a defective OS.

      http://www.instructables.com/id/USB-Condom/

      --
      Friends dont let friend enable ecmascript.
      • (Score: 0) by Anonymous Coward on Monday June 19, @06:40AM

        by Anonymous Coward on Monday June 19, @06:40AM (#527775)

        Tell that to these bunch:

        While e-cigarettes could be used to provide malicious payloads to machines, there is typically very little space available on them to host this code.

        "This puts limitations on how elaborate a real attack could be made," said Mr Bevington.

  • (Score: 1, Insightful) by Anonymous Coward on Sunday June 18, @06:31PM

    by Anonymous Coward on Sunday June 18, @06:31PM (#527552)

    Could have malware embedded. Photo frames, cables, even the not so secret NSA USB device that's so small you can't see it and the port is still useable.

(1)