To explain this, security researcher Ross Bevington showcased a presentation at BSides London that revealed how an e-cigarette could be used to attack a computer either by interfering with its network traffic or by deceiving the computer to make it believe that it was a keyboard. For those unfamiliar, E-cigarettes, also known as electronic cigarettes and vaporizer cigarettes are battery-powered smoking devices that are designed to look and feel like regular cigarettes. They use cartridges filled with a liquid that contains nicotine, flavourings, and other chemicals. A heating device in the e-cigarette converts the liquid into a vapour, which the person inhales. Many e-cigarettes can be charged over USB, either with a special cable, or by plugging the cigarette itself directly into a USB port on a computer, security researchers warn that your computer could actually be compromised by the simple act of charging a vape pen with just a few simple tweaks to the vaporizer. To demonstrate the attack, Mr Bevington’s method needed the victim’s machine to be unlocked, which was however not the requirement for all attacks. “PoisonTap is a very similar style of attack that will even work on locked machines,” Mr Bevington told Sky News. Another hacker and security expert, who goes by the name FourOctets on Twitter, published a proof-of-concept video demonstrating his work, wherein he plugs an e-cigarette into a computer’s USB port. The computer lights up as it normally does when an e-cigarette starts charging. However, after a few seconds, a message pops up on the computer screen. The message, which appeared on the screen, read ‘DO U EVEN VAPE BRO!!!!’. The vaping device was able to issue a command to the computer after a little bit of tweaking.
— ? (@FourOctets) May 25, 2017 Speaking to Sky News, Fouroctets said he had tweaked the vape pen by simply adding a hardware chip, which allowed the device to communicate with the laptop as if it were a keyboard or mouse. Also, a pre-written script that was saved on the vape made Windows open up the Notepad application to display the message. Basically, once the vaporizer was connected to the computer, it started issuing arbitrary commands to the unlocked device, which it was happy to execute. However, the script could have been modified to do something much more malicious. With just less than 20 lines of code, Fouroctets showed Sky News how the computer could be made to download an arbitrary and potentially unsafe file and run it. While e-cigarettes could be used to provide malicious payloads to machines, there is typically very little space available on them to host this code. “This puts limitations on how elaborate a real attack could be made,” said Mr Bevington. “The WannaCry malware for instance was 4-5 MB, hundreds of times larger than the space on an e-cigarette. That being said, using something like an e-cigarette to download something larger from the Internet would be possible.” The best possible way to handle these kinds of attacks is to make sure that your machine has updated its security patches, said Mr Bevington, and to “have a good password and lock your machine when you leave it”. “If you run a business you should invest in some kind of monitoring solution that can alerted your security team when something like this attack occurs,” he said. “In all cases, be wary if someone wants to plug something into your machine.” Source: Sky News