FUD: E-Cig chargers said to be delivering malware

There was a headline in The Guardian on Friday, related to two topics that interest me personally: malware and vaping.

What’s the headline?

"Health Warning: Now e-cigarettes can give you malware"

The story is sensationalist, promoting FUD to a growing segment of the population already inundated by false claims and facts, so it needs to be debunked.

The Guardian’s story is sourced entirely from a post from Reddit, where a user discussing IT support said their boss’ computer was infected with malware after plugging an E-Cig charger into it. The post is here, but the story is copied below.

“I have a story I wanted to share about a data security breach at a large corporation. One particular executive had a malware infection on his computer from which the source could not be determined. The executive’s system was patched up to date, had antivirus and up to date anti-malware protection. Web logs were scoured and all attempts made to identify the source of the infection but to no avail. Finally after all traditional means of infection were covered; IT started looking into other possibilities. They finally asked the Executive, “Have there been any changes in your life recently”?

“The executive answer “Well yes, I quit smoking two weeks ago and switched to e-cigarettes”. And that was the answer they were looking for, the made in china e-cigarette had malware hard coded into the charger and when plugged into a computer’s USB port the malware phoned home and infected the system…”

For the record, the user who posted the tale said, “it was just a story,” when asked for details such as the type of charger or the IP address the malware was using.

In the vaporizer market, (a personal vaporizer – or PV – is the proper name for the devices normally called e-cigs by the public), there are plenty of styles and models to chose from – each with their own charging method.

Some take rechargeable batteries; others have a built-in battery that you charge by plugging into an outlet with a USB to wall adapter. Some of those same USB to wall adapters also offer the ability to charge the vaporizer via the USB port on the PC, as was the case in the Redditor’s story.

Those who vape will immediately picture a generic eGo charger (supporting a 510 connection), as the alleged source of the malware problem. But again, there is nothing to suggest this story is true.

Yet, thanks to horrific supply chain problems, and the fact that knock-offs are common in the market (thanks China!), the scenario outlined on Reddit isn’t impossible.

There have been instances where malware has made it to the consumer market because of an issue on the manufacturer’s side. One that comes to mind is Samsung’s delivery of the Sality Worm with picture frames in 2008. That issue impacted several Amazon customers globally.

The BadUSB attack would also work in this instance, if someone wanted to target generic eGo chargers, but the odds of that happening are slim. In short, there isn’t any reason to panic, especially if the vaping public uses some caution.

If you’re worried about your vaporizer installing malware, then don’t connect it to your computer. Depending on the device you have, PC charging isn’t recommended anyway as it could hurt the system. However, there are devices made for PC usage, such as pass-through systems, which allow you to vape while the battery charges.

The story from Reddit isn’t a malware issue. It’s a supply chain issue. While there is no proof the infection story is true – if it’s a concern – the best bet is sticking to known sources. Avoid knockoffs when it comes to batteries and chargers, it’s safer and worth the extra cost.

One example of a legitimate eGo charger would be the one produced by Joyetech, a known vendor with a solid reputation in the vaporizer market. KangerTech is also a reputable vendor, so their chargers would be safe too. If need be, you can use USB Condoms, but the better bet is to stick to wall charging.

The chargers to avoid are the ones that come from gas stations, flea markets, eBay, or knockoff markets like FastTech.

I can’t stress this enough. Despite what The Guardian is trying to tell you: This is not a health issue and there is no proof that the eGo charger was the source of the alleged malware.

If you vape, and you’re worried about attacks like this, research your supply chain. Get a charger from a known source, as you would all of your equipment. Ask your local vape shop where they get their chargers, but unless it is from the manufacture directly, you’re better off spending the extra few bucks and getting them yourself.