Section 1. Introduction
An increasing number of household devices become electronically interconnected. In addition to smartphones, tablets, fridges, smart TVs and other IoT devices, items for personal use, such cigarettes, also become technologically smarter. The trend of e-smoking started in the early 2000s when the first patent for an e-cigarette was filed. Statistics demonstrate that, at present, about 3,7% of all American adults use e-cigarettes regularly and 12,6% have tried them. In Europe, almost 1/3 (31,3%) of current smokers have tried e-cigarettes.
Such an alternative way of smoking, also referred to as vaping or puffing, causes vivid discussions not only in the field of healthcare but also other domains, information security being one of them. Much has been discussed about physical dangers and health risks of e-cigarettes. Healthcare specialists warn that nicotine, formaldehyde, and diacetyl contained in e-cigarettes may cause damages in lungs and heart, initiate cancer, and other severe diseases. Charging or being plugged into an electric source makes e-cigarettes susceptible to malfunction, explosion, and catching fire. The U.S. Fire Administration (FEMA) reported that, in 2014, about 80% of explosions of e-cigarettes occurred during charging, especially while using an alternative charger and not an original charger sold with the device. On the other hand, e-cigarettes are also reported to have a positive effect on smoking cessation. For example, in the EU, an estimate of 6-9 million smokers has successfully quitted this habit with the help of vaping.
In the ongoing debate, not so much is known about information security dangers associated with this alternative way of smoking. Our article aims to contribute to state of the art by explaining the way smart e-cigarettes work (Section 2), indicating the information security risks of smart e-cigarettes (Section 3) and providing advice on how vapers can contribute to their security and privacy (Section 4). At the end of the article, a conclusion is drawn (Section 5).
Section 2. How do smart e-cigarettes work?
Smart cigarettes constitute a more advanced form of traditional e-cigarettes. They function according to the basic principles employed by e-cigarettes. E-cigarettes also referred to as personal vaporizers, are battery-powered electronic devices that deliver nicotine and produce a heated vapor resembling a smoke of a cigarette. E-cigarettes are used as an alternative to regular cigarettes because they satisfy person’s need for nicotine but do not supply tar and other toxic compounds that can be found in regular cigarettes. Also, due to the current trend and a variety of attractive flavors (in 2014, in the US, 7764 unique flavors were available for sale), vaping became a popular activity among people that have not been smokers before.
Usually, an e-cigarette resembles a cigarette or a pen. Most brands produce two main types of e-cigarettes, namely, cartridge-style e-cigarettes and refillable tank style e-cigarettes. Both types consist of three main elements: a battery, a cartridge or a tank storing liquid nicotine, and an atomizer. Both types of e-cigarettes work in a similar way – the liquid that is contained in the cartridge is heated by the heating element until it becomes a vapor that should be inhaled by the user. The liquid (also called a solution or juice) contains nicotine (there are also nicotine-free versions of e-cigarettes), flavorings, propylene glycol and vegetable glycerin. To charge an e-cigarette, the user has to connect the battery-charged heating element to a power source. Contemporary e-cigarettes usually come with a USB cable allowing them to be connected to a computer or any other device for charging.
Smart e-cigarettes constitute the most advanced form of e-cigarettes. Differently than regular e-cigarettes, smart e-cigarettes are capable of enhancing users’ experience. Smart e-cigarettes are intuitive, connected, and give their users full control over the vapor consumption. Moreover, smart e-cigarettes employ some level of artificial intelligence that provides: (1) a hit control (e.g., allows changing concentration of nicotine, ensures optimal throat-hit at every puff, and provides a nicotine intake accuracy); (2) an opportunity of mixing flavors; and (3) an automatic reduction of nicotine delivery on the basis of user’s vaping patterns. Sellers of smart e-cigarettes claim that the more the user vapes, the smarter his/her e-cigarette gets.
The algorithms used in smart e-cigarettes and accompanying application software allow analyzing users’ needs, tracking their consumption, setting personal goals, and managing nicotine levels throughout the day. Thus, vapers have the most personalized experience that can be easily documented and adjusted through an application.
Section 3. Security risks of smart e-cigarettes
Most USB powered small-scale devices, including e-cigarettes, have a quite simple hardware and software. However, since they are computer or machine connectable, such connection may initiate communication between the e-cigarette and the connected device and initiate transmission, download or exchange of stored data.
E-cigarettes typically use two types of charging sockets. The first type is a simple adaptor containing a screw thread at one end and a USB connector at the other end. The battery of an e-cigarette is connected to the screw thread. This type of e-cigarettes is less susceptible to security flaws. The attack targeting this type of device theoretically could be planned with a purpose to affect the particular machine that is connected to the e-cigarette. However, since the modification of a charging adaptor requires extensive physical redesign and an inclusion of a data carrying kit, such an attack may result in infecting only a very small number of connected machines.
The more sophisticated e-cigarettes, including smart e-cigarettes, can be connected to a device by using a micro USB socket. Such e-cigarettes have more complex software and hardware design and often use LED screens and touchscreens for displaying setting options and allowing users to adjust the device according to their needs. Moreover, this type of smart e-cigarettes is interconnected via a wireless network with the application on user’s smartphone. Consequently, such smart e-cigarettes are more susceptible to security threats, as they contain a higher degree of data processing and connectivity.
We distinguish three groups of security issues that can be associated with the use of smart e-cigarettes, namely, issues related to (A) monitoring users’ behavioral patterns; (B) infection with malware; and (C) communication between devices.
A. Security and privacy issues related to monitoring users’ behavioral patterns
Monitoring users’ behavior is one of the most efficient tools for building person’s profile. Monitoring tools are used by producers of the Internet-connected devices with a purpose to enhance users’ experience and profile their customers. Also, such consumers’ data packages are an important asset in the global data trade conducted by data dealers for marketing purposes.
Smart e-cigarettes may contribute to customer profiling significantly as they can be used for monitoring consumers’ daily usage patterns, including frequency of smoking and product-related characteristics, such as nicotine intake. Also, due to the integrated tracking technology, smart e-cigarettes may easily be used for tracking users of e-cigarettes and collecting their topographical data. Smart e-cigarettes collect smoking data that can be geo-tagged. Thus, within the time, it is possible to get the information not only about user’s smoking patterns but also the locations mostly visited by the vaper.
Some producers offer products (e.g., smart cigarette cases) aiming at discouraging smokers from the habit and identifying any possible triggers. Such devices have a functionality to warn a user if the daily allotment of cigarettes is reached or exceeded, as well as if the user reaches the location where he/she smokes most. The design of smart e-cigarettes and related products allows systems to communicate with users by means of notifications, reminders, motivational content, and a visual breakdown of smoking habits into visualizations.
Although the recipients of users’ data and communication packages are usually commercially oriented healthcare institutions, vendors, and social networks, such vapers’ data may also be used for non-commercial purposes, including research on public health.
It is important to note that, at present, there is little scientific research conducted with regard to software, microprocessors, and sensors incorporated in e-cigarettes and smart e-cigarettes. It is also not known to what extent users of smart e-cigarettes are protected from collecting their health and topographical data and how such data are communicated to third parties. In addition, due to the lack of such research, the vulnerabilities of software deployed in smart e-cigarettes are not examined.
B. Issues related to infection with malware
Mass produced hardware devices which include external hard drives, electronic photo frames, and e-cigarettes are susceptible to hardware level malware. Malware infiltrated in such devices may weaken systems’ security defenses, modify firmware, delete content from the internal storage, and initiate other types of attacks. Malware may also be spread to other gadgets. Such malware can be installed during the production process, spread by the third parties, or transmitted through infected devices. Moreover, in combination with other interconnected devices, smart e-cigarettes may participate in the schemes of cross-contamination, i.e., transferring of malware from home networks to enterprises. USB devices are especially well known for being feasible to IoT security vulnerabilities. For example, in 2014, media reported about an executive of a large corporation who detected malware in his e-cigarette produced in China. The e-cigarette appeared to be hard coded with malware that “phoned home and infected the computer after it was plugged into the USB port.” Such malware can be used for tracking user’s keystrokes, stealing files, and turning on the camera of the connected device. Also, malware may cause physical dangers to users of smart e-cigarettes. For example, it may heat up the heating element to a temperature that is dangerous to the user or initiates an explosion.
C. Issues related to communication between the devices
Smart e-cigarettes connected with devices through a USB or micro USB ports, as well as a wireless network, may “speak” with the connected machines depending on the level of complexity of their software design. This issue may become more relevant as the connectability and complexity of smart e-cigarettes has been increasing with the recent developments in the state of art. Through software, the connected device may be instructed to open and transfer certain files, turn on gadgets and cameras, and perform other activities.
Ethical Hacking Training – Resources (InfoSec)
Section 4. How to avoid security risks?
Although it is not possible to avoid faulty devices, it is important to follow simple but effective rules regarding the use of smart e-cigarettes. Such measures may assist in mitigating the three groups of security risks of smart e-cigarettes indicated in Section 3 of this article.
- Choose reliable and reputable producers of smart e-cigarettes that can provide a proof of security certification for their products.
- Disable interconnectibility of your smart e-cigarettes, turn off tracking and data collection features, and uninstall the accompanying applications if you do not plan to use the functionalities offered by such features.
- Charge your smart e-cigarette only by using the original power adapter contained in the set. Try to avoid alternative chargers. Charge in a power socket instead of using a personal device for this purpose.
- Avoid connecting your smart e-cigarette to a computer, tablet or other device having a USB socket or a wireless network.
- Use protective safety devices for your USB port, the so-called USB condoms. They prevent occurrence of accidental data exchange (e.g., juice jacking) by activating power pins only and cutting off the data pins in the USB cable.
- Enable device control. In bigger networks, it is important to consider using device control technology for exchanging files in which the users are allowed to charge their devices but cannot initiate uploading and downloading any data.
- Pay attention to physical security measures. Prioritize a smart e-cigarette that’s battery can be removed from the atomizer while charging. The models of e-cigarettes that contain a battery attached to the atomizer may have more physical risks. Do not overcharge the battery and handle it with care.
Section 5. Conclusion
Despite their basic design, e-cigarettes (especially smart e-cigarettes) raise a number of information security concerns. Smart e-cigarettes allow customizing vaping experience according to the needs of a consumer. They also employ the features allowing tracking their users and observing their behavioral patterns, communicating with users, and transmitting data through wireless networks.
Our article focused on three groups of potential security risks of smart e-cigarettes, namely, (1) monitoring users’ behavior, (2) malware injections, and (3) communication with interconnected devices. Due to a lack of scientific research in the field of information security with regard to smart e-cigarettes and standardized testing regimes, it is not clear yet to what extent e-cigarettes and smart e-cigarettes can be used safely as an alternative to smoking without bringing to danger vapers and their gadgets.
We strongly advise vapers to take reasonable information security measures to avoid security and privacy issues. Such measures may include managing data collection parameters, charging smart e-cigarettes in a safe manner by using a power socket, avoiding connection of a smart e-cigarette to a laptop or any other devices via USB sockets and wireless networks, and choosing only reliable certified suppliers of smart e-cigarettes.
- ‘Electronic Cigarette Fires and Explosions’, U.S. Fire Administration, October 2014. Available at https://www.usfa.fema.gov/downloads/pdf/publications/electronic_cigarettes.pdf.
- Hern, A., ‘Health warning: Now e-cigarettes can give you malware ‘, The Guardian, 21 November 2014. Available at https://www.theguardian.com/technology/2014/nov/21/e-cigarettes-malware-computers.
- Schoenborn, C., et al., ‘Electronic Cigarette Use Among Adults: United States, 2014’, NCHS Data Brief Nr. 217, October 2015. Available at https://www.cdc.gov/nchs/data/databriefs/db217.pdf.
- ‘Should vapers fear malware-laced e-cigarettes?’, Naked Security, 28 November 2014. Available at https://nakedsecurity.sophos.com/2014/11/28/should-vapers-fear-malware-laced-e-cigarettes.
- ‘The First Smart E-cigarette Enovap’. Available at https://www.enovap.com/en.
Zhu, S.-H., et. al., ‘Four hundred and sixty brands of e-cigarettes and counting: implications for product regulation’, Tobacco Control. Available at http://tobaccocontrol.bmj.com/content/23/suppl_3/iii3.short.
“Rasa Juzenaite works as a project manager at Dimov Internet Law Consulting (www.dimov.pro), a legal consultancy based in Belgium. She has a background in digital culture with a focus on digital humanities, social media, and digitization. Currently, she is pursuing an advanced Master’s degree in IP & ICT Law.”