Vaporizers (AKA E-cigarettes) have been gaining some serious traction and widespread use over the past few years. The sudden surge of popularity isn’t too surprising considering the fact that the health implications of nicotine consumption are vastly more favorable with vaporizers when compared to traditional cigarettes.
Most Vaporizers charge through a propriety connection to USB that looks something like this:
In a recent reddit post, the poster reported that an executive at a large corporation had a data security breach on his system from malware, the source of which could not be determined initially. The machine was patched up to date, had updated anti-virus protection, and Weblogs were evaluated. “Finally after all traditional means of infection were covered; IT started looking into other possibilities…” The made in china USB charger had malware on it that, when plugged into a computer’s USB port, would phone home and infect the system.
Now for those of you scratching your head going – hang on a minute… Windows hasn’t auto-executed anything from USB in YEARS. USB drivers are loaded from the library on the PC and I would know when it was plugged in and I would have to click and run a file in that folder – this whole story sounds fishy… Let me introduce you to BadUSB. Essentially this USB control chip would be reprogrammed to act as a keyboard + mass storage device. Once plugged in, it sends key-commands to open command prompt and then executes files from the storage. It’s not as if this vector of attack is brand new either – at least conceptually. According to @th3j35t3r (the Jester), a well known cyberwarrior in an article titled ‘What would I do if I was Chinese PLA’, USB charger attacks such as this are “theoretical but entirely possible, if not probable”.
My personal suggestion to those concerned is to only charge USB devices through a wall adapter (they charge faster anyway). If you REALLY need to charge through USB then I suggest getting one of these, dubbed “USB Condoms”, which will make sure that only power is drawn and no data is exchanged.
What kind of defenses exist for this type of attack? Basically not much. Malware scanners cannot access the firmware running on USB devices and USB firewalls that block certain devices do not exist yet. Behavioral detection is unlikely since the device’s behavior is just going to appear as though a user has simply plugged in a new device. It’s very unsettling and the threat is there however unlikely we think it is. While I doubt this is widespread or even remotely common, I did make sure to take apart my charger and made sure that there were no data pins and that it was only drawing power through USB.