E-cigs and malware: real threat or Yellow Peril 2.0?

After a redditor claimed to have gotten a computer virus from factory-installed malware on an e-cig charger, the Guardian reported out the story and concluded that it's possible.

Ever since word broke of a kind of unstoppable USB malware, many computer users (including me) have been looking askance at the USB devices that we plug into our PCs, and the charges that we plug our devices into. The USB Condom and charge-only cables help minimize the risk of USB-spread malware, of course, but there are times when you want data-transfer between devices -- for example, yesterday I put a PDF of my speech notes on a thumb-drive and plugged it into a computer at a hotel business-center in order to make a printout. That computer is potentially more germ-ridden than an airplane toilet seat, but there was no other way to get the words from my hard-drive onto paper.

I had a memorable conversation with a friend who is very senior in the US intelligence community last summer, who claimed that a huge proportion of USB devices ship with malware loaded on them, and said that the security protocols practiced by the entities he worked in prohibited the use of USB drives except those from a single, US-based, certified vendor.

But both that conversation and the Guardian's article hinge on a view of Chinese manufacturers as untrustworthy, serving as de facto arms of the Chinese surveillance apparatus, a Trojan horse for both military and industrial espionage. But as the management of China's Huawai have pointed out, there is no public evidence that this is so -- indeed, if anyone is hacking anyone, it's US spy-agencies hacking Huawei -- and US-made gear, like that from Cisco.

In other words, the governments responsible for a $250,000,000/year program of technological sabotage against the technology that we all rely upon every day are the loudest voices in the chorus warning us against Chinese state-industrial malware. Perhaps it takes one to know one?

Rik Ferguson, a security consultant for Trend Micro, says the story is entirely plausible. “Production line malware has been around for a few years, infecting photo frames, MP3 players and more,” he says. In 2008, for instance, a photo frame produced by Samsung shipped with malware on the product’s install disc.

Even more concerning is a recent proof-of-concept attack called “BadUSB”, which involves reprogramming USB devices at the hardware level. “Very widely spread USB controller chips, including those in thumb drives, have no protection from such reprogramming,” says Berlin-based firm SRLabs, which released the code.

Now e-cigarettes can give you malware [Alex Hern/The Guardian]

(via Dan Hon)

(Image: RF Access Point for eZ430-Chronos, STWN, CC-BY-SA)