We need the hard evidence...
If the hard evidence is not forthcoming then this is surely just another example of Vapo-ware...
E-cigarettes have been fingered as the source of a new computer virus. "IT guy" Jrockilla told the Talesfromtechsupport forum that he suspects the malware was "hard coded" into the USB charger of his boss's electronic toker. In his post, he says: The executive’s system was patched up to date, had anti-virus and up-to-date …
Everyone is making funnies but just remember there have been a rash of "ZOMFG ecigs burn babies!" style FUD articles in the past few months but when anybody asks for the actual data to back up the claim? Crickets.
Cigarettes are a billion dollar business folks, not only for big tobacco but for big mommy government in the form of taxes, ecigs cut both out of the loop so be sure to ask for the data and follow the money.
If you don't believe me feel free to look up the article by the Japanese researcher being pushed by the media just yesterday, he claimed ecigs have ten times the carcinogens of regular cigarettes, oh noes! When multiple groups asked what should have been simple questions like what brands were tested, whether he was talking premade cig carts or juice, what the power levels used were, what was used to measure the samples? Crickets.
...for big mommy government in the form of taxes, ecigs cut both out of the loop...
Just because they aren't taxed the same as tobacco products now is no reason to think that they cannot or will not be in the near future. Sam with electric cars and the gas tax (in the US). The electric version will be taxed, it's just a question of how much.
It's a dongle that plugs into any USB port between the port & the device you want to plug in. The dongle connects ONLY the power leads from port to device, thus removing any data transfer capabilities. No data transfer means no infection means you can laugh in the face of that particular infection vector.
I have a battery "power-pack" I picked up at Lidl in the summer. Built-in solar cell, as will as a mini-USB input for charging, What is maybe relevant for this is that the output is a standard 2-contact power connection with an adaptor to standard micro-USB. It could still send a virus to a computer that was charging it, but anything you use it to charge would be safe.
It is possible to make your own "safe" lead, but I am not so confident with a soldering iron these days. The no-data leads are sometimes labelled as "fast charge".
This is entirely possible in essence but also most unlikely. Energizer also had a back door trojan issue in regards to one of their USB chargers a few years back but as long as you are somewhat vigilant with your security (as everyone should be) then it won't do much to you, if at all. The moral of the story though is that if you buy anything remotely iffy then nerver connect it to something that can 'dial' out. Use a plug socket if you are in doubt.
It was not the actual charger that was the issue on this one, it was the software that ran it. I have one here in my box of "what the fsk was all that about" devices. Currently most of the stuff is lying under a raft of crappy failed Seagate drives along with some new ones that I will not use.
Personally I do not believe that a ciggy charger can do any such thing particularily when he has anti virus protection.
Perhaps a nice foil hat would be the best apparel for the guy stating this has happened..
Oooh his anti virus was up to date so it must have been the fags. Yeah right.
Why would an e-fag have anything other than power pins in the usb connection? I detect a lot of smoke, and probably a few mirrors. All designed to get the IT dept off the hook for whatever damage this breach has caused.
More likely the guy caught a virus that was not detected by their corporate av, etc. These things aren't a magic bullet.
>Why would an e-fag have anything other than power pins in the usb connection
Simply because they can or because one of the existing superpowers/badguys/Russian hackers will do anything to introduce Regin/Stuxnet or equivalants into any/all machines....
Or maybe even Marlboro, Lucky Strike etc did it on order to present subliminal messages to the luser that cigarettes are good for you and ecigarettes are bad..
"So if the sysadmin in question was soooo efficient at client side security how come the USB wasn't disabled to unknown devices or charging disabled in the BIOS??" You missed the bit about this being an executive's machine. Securing the systems for average lusers is easy and the worst you have to deal with is a bit of grumbling ("But I need my iTunes at work!"), but senior management have a daft habit of assuming the rules shouldn't be applied to them. Several years ago, when we glued plugs in the desktops of the average lusers, the execs (who ordered the measures) were amazed at the idea it should be applied to their desktops too.
USB devices are supposed to negotiate the current they draw using the data lines before they draw it, but old phone chargers and things like USB fans don't do that, they just send/draw 500mA.
Using negotiation with data lines hopefully manages to make a modern phone or tablet avoid drawing more than the charger sends or a USB port's fuse on a computer.
"Hopefully" because the voltages on the data lines for higher currents aren't very standardised yet. If you were to use, say, a Samsung 2A charger for an iPhone or iPad then it might have a funny turn or it might just charge slowly at 500mA (I've not tested it).
"USB devices are supposed to negotiate the current they draw"
You're right, but there are "strings" attached to that requirement. Power draw, especially from USB2, can be highly non-standard.
I've seen USB host designs that don't negotiate current, it's suppilied raw from the local 5v rail. (yep!)
I have a new-ish USB hub that of its 7 ports, has 2 ports that do NOT negotiate current - they pump out up to an amp each without discussion.
iThings are a little different - they're especially non-standard. To make sure the power supply can actually supply what the phone/tablet can ask for, there is a backward compatible kludge with resistive voltage dividers that the device monitors, and senses if it is indeed an Apple-qualified charger, and with what current capability. This way, the device can know what the charger can pump out, and do it cheaply so you don't need USB 'smarts'.
Next step up is USB 3, where it can negotiate higher voltages to get more power to the device. In this case, smarts are always used, because accidently pumping 15v+ into a device designed for 5v is obviously catastrophic.
This post has been deleted by its author
Maybe it was a freebie or a gift from a supplier/ vendor/ lobbyist or similar that was carrying a less than friendly payload?
In my shop we ask staff to turn over all their freebies for security checking, since asking them to reject all such shiny gifts in the first place is considered too much to expect.
The E-cig charger moniker on this story is new but otherwise this is just the already known "subverted USB device" attack vector.
"Oh, you went to charge this £30 landfill Android tablet and you found an Autorun virus on the flash storage? Shocking!"
En principe, PC USB ports are not for charging! Get a mains-to-USB adapter pls :)
Any of the zillions USB devices circulating out there could exploit that same flaw.
There is not a single known case of an infected personal vaporizer.
Yet some idiots manage to point their fingers specifically at PVs and the story gets miraculously repeated all over the press.
Similar to a couple of months back when the "e-cig batteries can blow up when charging" story hit the news wires. Yes it is true insomuch that if you recharge ANY battery using a charger of the wrong voltage/amperage it's likely to pop.
The more cynical might even suggest that this story has been planted by those who are loosing money hand over fist to the vap-sellers.... But of course the tobacco companies and/or government would never do anything underhand like that.
Mage, I don't know the state of the vaping market in your country, but here we have two kinds of devices: the widely used, rather efficient "eGo" devices and derivatives, which have no relationship whatsoever with tobacco companies, and the crappy "cigalikes" which are indeed produced by tobacco companies but nobody uses them since they are, well, crap (and they taste awful, in addition). Hence the FUD: if we can't have the market, let's try and kill it.
As to "addictive nicotine", you might want to check actual science on that matter rather than relying on hearsay: consumed in isolation from the chemical cocktail that tobacco combustion (ie. cigarettes) produces, and specifically Monoamine Oxydase Inhibitors (a class of antidepressants created during sugar combustion), nicotine is about as addictive as caffeine which is a far cry from the addictive power of tobacco cigarettes.
Quite a lot of the main stream vaporisers and cartomisers are brands produced by the major tobacco firms anyway. At no point were they going to let the nicotine market out of their grasp. If they aren't selling it directly in their own product then they are probably supplying the tobacco leaves by the bundle to other companies for their vap liquids, either way they will adapt quickly to the new market which by the looks of it is heading for a boom.
Unless you also blame Sandisk when a bug comes out on Flash? this is the fault of the USB consortium designing USB to automatically trust whatever the device tells it, this makes it trivial to put malware on pretty much anything USB.
The solution? Point him to one of the several box mods that use a simple USB cord that just hooks to the battery, problem solved.