Security researchers have demonstrated how e-cigarettes can easily be modified into tools to hack computers.
With only minor modifications, the vape pen can be used by attackers to compromise the computers they are connected to – even if it seems just like they are charging.
Giving a presentation at BSides London, Ross Bevington showed how an e-cigarette could be used to attack a computer by fooling the computer to believe it was a keyboard or by tampering with its network traffic.
While Mr Bevington’s particular form of attack required the victim’s machine to be unlocked, that was not the case for all attacks.
“PoisonTap is a very similar style of attack that will even work on locked machines,” Mr Bevington told Sky News.
Another hacker and researcher known as Fouroctets published a proof-of-concept video which showed arbitrary commands being entered into his unlocked laptop just after plugging in a vape pen to charge.
Speaking to Sky News, Fouroctets said he had modified the vape pen by simply adding a hardware chip which allowed the device to communicate with the laptop as if it were a keyboard or mouse.
A pre-written script that was saved on the vape made Windows open up the Notepad application and typed “Do you even vape bro!!!!”
The script could have been modified to do something much more malicious, however.
Fouroctets showed Sky News how, using less than 20 lines of code, the computer could be made to download an arbitrary and potentially dangerous file and run it.
While e-cigarettes could be used to deliver malicious payloads to machines, there is usually very little space available on them to host this code.
“This puts limitations on how elaborate a real attack could be made,” said Mr Bevington.
“The WannaCry malware for instance was 4-5MB, hundreds of times larger than the space on an e-cigarette. That being said, using something like an e-cigarette to download something larger from the Internet would be possible.”
The best way to protect against these kind of attacks is to ensure that your machine has updated its security patches, said Mr Bevington, and to “have a good password and lock your machine when you leave it”.
“If you run a business you should invest in some kind of monitoring solution that can alerted your security team when something like this attack occurs,” he said.
“In all cases, be wary if someone wants to plug something into your machine.”