E-cigs and malware: real threat or Yellow Peril 2.0?

I’d have to go with ‘probably a bit of both’.

The idea that every mom 'n pop mystery OEM slinging cut price e-cig chargers is directly taking orders from PRC HQ seems like some combination of paranoia and projection.

On the other hand, the entities that are too cheap to be malicious are exactly the ones whose production lines will still be held together by worm-farm XP machines that are probably all kinds of infected by ambient malware, some of which will happily copy itself onto any mass storage device connected to it for testing, firmware flashing, etc.

A number of the incidents with flash drives and photo frames have been of this flavor: they definitely did contain malware; but inspection suggested that it was one of the numerous wild types that will copy themselves to USB storage if given the chance, with no special Chinese characteristics, suggesting deeply dodgy manufacturing standards but more incompetence than malice.

3 Likes

You may run into some complications because of the frequency with which the USB HID class is used for non keyboard and mouse devices; but it shouldn’t be too difficult.

On a Win7 x64 system, chosen because it was available, kbdhid.sys and mouhid.sys drivers appear to be the keyboard and mouse specific USB HID drivers. (kbdclass.sys and mouclass.sys also get loaded; but both USB and PS/2 devices uses them). Deleting, renaming, or setting deny ACLs on those should toast USB mice and keyboards (so long as the system isn’t set to automatically go to Windows Update to install new drivers).

Applying the same treatment to hidusb.sys might also be helpful; but is also more likely to wreak havoc with unrelated devices.

1 Like

A decent way to block access to files is deleting the files and replacing them with directories of the same name. It cannot be deleted or overwritten like a regular file (different syscalls are required) and usual update systems won’t be likely to cope.

This is an old way used to immunize systems from worms that used known, constant file names.

The USB data lines are connected precisely so they can run malware, of course.

(Though as shaddack points out, they’re also used for the signalling that says the device can accept more than the vanilla amount of power. Otherwise, there’d be no reason for a device like this to have any active USB components at all, just the LiPo charging circuitry if it’s a lithium battery, or maybe a diode for NiMH or NiCd.)

Hello,

Smoke particles can damage hard disk drives. Here’s a discussion I participated in six years ago on the subject that explains the ways in which this occurs:

 help.lockergnome.com/general/Smoke-damage--ftopict47943.html

Hope that explains things.

1 Like

Fairly good writeup. I’d have a few nitpicks (nitpicks only).

The pressure inside does not strictly have to be equalized with the outside. It is to allow the top cover of the disk to be thin and flexible, so it would not bulge in or out with air pressure changes. Otherwise it could be quite well hermetically sealed. Some disks are planned (maybe even being sold now?) to be filled with helium instead of air, to lower the air viscosity related losses.

The altitude limits for electronics use are related partly to this, partly to cooling, and, in high voltage using systems, partly to air dielectric strength.

The conductivity and corrosivity of the smoke depends strongly on the nature of the burning materials. PVC makes hydrogen chloride that converts to hydrochloric acid with water, and that is a rather nasty thing for electronics reliability. Organic acids are less bad, and “mere” polycyclic hydrocarbons are rather inert, and can even act as corrosion inhibitors; see the attempts to recycle cigarette butts in that way.

To stop the disk from spinning would require damaging the bearing. That one is quite tough, especially in comparison with the head clearance (which is where you are right that the most likely problems will occur if the smoke gets into the enclosure).

However for the smoke to get in it would have to diffuse through a maze of inlets, with lots of surfaces to deposit on before it reaches the disk’s tiny hole with the filter, and then the filter itself. Tall order for a disk mounted in a closed machine, though still possible, depending on the smoke density and character. If the outside pressure grows, though, or the inside pressure falls (cooling of a heated unit), sucking the contaminants in actively is probable.

How would the smoke particles behave in the vicinity of the spinning disk platter (they would settle onto stationary surface but what about when it spins)? Would they be by chance ejected against the side of the enclosure (and stick on it) before they can adhere to the disk? Some disks I took apart had a piece of filter-like material in a position that would suggest it is acting as a catcher for such particles.

1 Like

It’s strange that despite how supposedly widespread it is, people always talk abstractly about possibilities and capabilities, and no one has ever undertaken the very simple exercise of pulling a mass market usb device off some shelves, plugging it into a sandboxed computer, and showing that malware has now been installed on it.

If what these people say is true, we don’t need high-ups in secretive intel services to tell us this. Anyone can demonstrate it happening. Given what we know of the plethora of methods for getting nasty stuff onto to user computers, and the effectiveness of such methods, it seems deeply unlikely to me that something this blatant and traceable would be employed in practice.

2 Likes

There’s also the problem that it doesn’t necessarily have to be on every example of a specific type of USB device.

Depending on the distribution of the devices, you might need to have pretty specific circumstances to get a conjunction of 1) a rigged device, 2) a researcher who knows enough to deeply investigate the device, and 3) something that makes that researcher curious enough to deeply investigate that device.

It reminds me of the anomalous microSD cards that the Chumby manufacturing had to deal with. If those cards had been silently rigged in some way rather than having an identifiable issue, they would simply have ended up being randomly distributed. You wouldn’t have been able to prove it by just buying a random Chumby, if you’re that far down in the chain you’d need a researcher interested in gathering a large enough statistical sample depending on how many of them had the fakes.

1 Like

You don’t have to prove that every device is infected. You just need to present enough examples to show that sufficiently many are, to present (a) a sizable risk to the average consumer and (b) a plausible channel for an attack (especially a state attacker like people are positing here) to use.

As far as I can see, no one has presented any examples. Which is laughable if we are being told to believe that the chinese government is doing this in the hopes that people in positions of privileged access will install and get infected.

2 Likes

Yes… If every device were infected, that would be extremely easy to prove (at least, with a pretty high certainty), and I wouldn’t be talking about statistical samples.

What I’m saying is that, if by some chance this actually is something that’s happening (no matter who would be behind it)… it would be far from straightforward to expect researchers to randomly find examples unless the person doing it was being a complete moron and flooding the channels with infected devices, or if the infected devices caused major issues that drew attention to themselves.

This topic was automatically closed after 5 days. New replies are no longer allowed.