E-cigarette smokers consider yourself warned: that vape pen you love to puff on could expose your computer to malware.
According to a report from Sky News, security researcher Ross Bevington recently demonstrated how to hack a PC with a vape pen during a presentation at BSides London. Bevington showed how a modified e-cigarette, once plugged into a computer to be charged via USB, could attack the machine by interfering with its network traffic or masquerading as a keyboard.
His technique required the victim’s machine to be unlocked, though other vape-based attacks will even work on locked machines, the researcher told Sky News.
Bevington isn’t the only security researcher warning people about this attack vector. A security engineer and malware researcher who goes by the alias Fouroctets recently posted on Twitter a 22-second proof-of-concept video showing a modified vape pen executing arbitrary code on a Windows-based laptop.
In the video, which you can see below, the researcher plugs the vape pen into the machine, and within seconds, a message pops up on the screen that reads “DO U EVEN VAPE BRO!!!!!”
“Sorry if I get vape pens banned at your work place,” Fouroctets tweeted.
Speaking with Sky News, the researcher said he simply added a hardware chip to the vape pen that allowed it to communicate with the laptop as if it were a keyboard or mouse. The researcher said an attacker would be able to use this method to download and run a malicious file on a victim’s PC with less than 20 lines of code, according to the report.
Bevington said users should ensure that their machines are up to date with the latest security patches before plugging a vape pen in to charge. He also recommended businesses invest in a monitoring solution that will flag this type of attack. We’d also advise you to only buy your vape pens from reputable sources.