Last week a Reddit user posted a story about a malware infection being traced to an e-cigarette charger. The story was picked up by The Guardian, and spread from there to other mainstream media; it later got some coverage in the technical press too.
Most mentioned that the source was a Reddit “report”, although “anecdote” might be a better term, and some even managed to highlight the “sensationalist” nature of the story and its reliance on a rather vague and unreliable source.
The original Reddit post, on the “TalesFromTechSupport” subreddit, reads like a typical urban legend and was later described by the original poster, in a response to a request for specifics, as “just a story”. There’s no detail of what the malware was, what it did, or the make or model of device involved, no evidence at all really.
So a humorous and very likely apocryphal online comment has spun itself up into a major news item, riding on the heels of two hot topics characterised mainly by a lack of general public understanding – computer security, and the safety or otherwise of electronic smoking devices.
It’s tempting to respond by simply ignoring the whole nonsense and carrying on as normal. But maybe there is something to learn here.
Our world is becoming increasingly electronic, with an ever-larger proportion of the things we make use of requiring power.
From the ubiquitous smartphones and tablets to more esoteric items like vaping machines and keyboard-cleaning vacuums, and even the battery packs many of us carry around to minimise the risk of running out of juice at the wrong moment, lots and lots of things need plugging in at some time to recharge.
Much of that plugging in has been simplified by USB, meaning we can charge our stuff up anywhere we see a friendly socket. One of the most common places to see such a socket is of course on a PC or laptop, and so they become an ideal place to power up our tools and devices.
Of course there’s mostly no harm in that at all; many USB-charged devices are fairly basic, have only the power-related parts of the USB form connected, and can’t cause any damage to our computers whatsoever.
Many others, including our phones and any other devices which can store data, will be able to communicate in some way with the machines we plug them into, but can generally be trusted, mainly because we know and look after the devices themselves and the software running on them.
To stick with the example of e-cigarettes, they fall into two main camps. In one kind the “charger” is just a simple adaptor, with a USB connector at one end and a screw-thread at the other which connects to the business end of the e-cigarette battery.
In the other the “battery” connects via a standard micro-USB socket on the device itself, so it can be used while charging. This type tends to be rather more sophisticated, with adjustable power outputs and even LED displays showing settings – for which of course there must be some sort of processing going on inside.
With the first kind there’s very little danger – the charging adaptor would have to be carefully modified to include some data-carrying kit, which could potentially just about fit inside, the connectors would need tweaking so not only the power ones were enabled, and the data on it would have to be set up to somehow attack any machine it is connected to.
Not completely impossible, but rather a lot of effort for anyone to go to on the off-chance that they may end up infecting a PC or two.
The second kind may be slightly more risky – it wouldn’t be much of a surprise to see one designed to speak to your PC, perhaps so it can double as data-storage like traditional thumb drives, or perhaps to record and monitor usage history, in much the same way that exercise bangles log your activity and upload it to your computer.
If that were the case, it wouldn’t be too far a jump to imagine a batch getting infected, either maliciously or accidentally at the factory, via an infected machine used for installing or testing. Again, pretty unlikely, but theoretically possible. And of course, from there they’d have to find a way to jump to your computer without you making it happen, which might require some highly expensive zero-day exploit.
So if it’s all so unlikely, should we forget about it and carry on using our computers as universal power supplies?
Even with the decline in risk from old-school autorun malware, mainly thanks to less slack defaults in modern operating systems, there are still instances of malware finding its way onto mass-produced hardware, with the likes of photo frames, external hard drives and satnavs now replaced by smartphones.
There are also always new vulnerabilities to exploit, which can let people do unwanted things on your machine no matter how careful you are with patches, updates and malware protection.
So perhaps it’s wiser, wherever possible, to connect your devices instead to a real power socket which will charge faster anyway (just make sure you also trust your adaptor, or at least get a power-only cable or adaptor just to be sure).
In business settings, it’s always best to prevent people from sticking unknown things into machines on the company network, and you may want to enforce this by blanking off USB sockets on the outside of the machine, or just disconnecting them on the inside, if they’re not really needed for business purposes.
One unconvincing example doesn’t mean a potential problem can be safely ignored.