Public Awareness on How Vape is used as a Tool for Hacking

Nowadays e-cigarettes and vaping devices are more popular than tobacco cigarettes among the youngsters. Most of the youngsters falsely believe that vaping is safer than tobacco and it is trendier. This research paper is reviewing on how vape is used as a tool for hacking. Based on research, vaping is not only give bad impact to the health but it is also can be used as a medium in transferring malware and to breach the computer system security. A few tweaks and modification of the vape device could make the attacker to transfer the malware to the computer system. Literature review being done on several electronic smoking devices such as e-cigarettes, vaping and JUUL. Statistic on vape users and vape hackers are being done. On top of that questionnaire being prepared and distributed to the public to analyse on public awareness on vape hacking. The method of vape hacking and protection from vaping hackers are also being discuss in this paper. Since vape is using USB to charge the device hence security measures focus more on USB security on how to protect the computer system from the vaping hackers. Several methods can be applied such as disable USB drives and mass storage devices using registry, keep security patches updated, create strong password, control the USB port through device manager or by using a free tool USB drive Disabler/Enabler. There are many others security protection can be implemented but this paper only focuses on several methods as discussed.


Introduction
E-cigarettes became a trend in the early 2000s. The number of vapers has been increasing rapidly from about seven million in 2011 to 41 million in 2018. Statistic showed that the number of adults who vape around the world is estimated to reach 55 million by 2021, Euromonitor reported [9]. There are several countries that banned or restricted vaping as shows in Figure 1. This data is based on the news published by the Sun last year April 2019.Most of these countries banned vaping as it gives bad impact to the health. The research done by Li Ping Wong et. al in 2016 revealed that 39 percent of ecigarette smokers are youths in universities while 36 percent are young professionals as published in Journal of Community Health. Most of the reason given for using e-cigarette and vape is to quit the smoking of tobacco. Another research done by Sharifa Ezat Wan Puteh et. al in 2018 on ""The use of e-cigarettes among university students in Malaysia,"" in the Tobacco Induced Diseases Journal showed that the number of youths who use e-cigarettes as a tool to quit is 14.1%, which is lower than current e-cigarette and vape smokers who have never smoked a cigarette (20.4%). There is also a high ICCPET 2020 Journal of Physics: Conference Series 1712 (2020) 012017 IOP Publishing doi: 10.1088/1742-6596/1712/1/012017 2 percentage of youths who are dual users (smoking both, tobacco products and e-cigarette/vape) at 40.3% as shown in Figure 2 [7].

Figure 1.
Countries that banned or restricted vaping [6] However, harming health is not the only impact of using vape. The other potential danger is using the vape device to launch some malware codes once it is plugged into USB port for charging purpose as what happened in China, 2014 when media reported that malware has been detected in the ecigarette belongs to an executive of a large company. The worst part is to know that the malware has the potential to cause physical harm when it is impeded to a vape device. For instance, the heating element might be heated up to a temperature that is dangerous to the user who is not aware of that, or even initiate an explosion [9].
Bring your own device (BYOD) is becoming a new trend nowadays towards IT consumerization. BYOD is a term used to describe which consumer software and hardware are being brought into the work place. However some of the companies do not allow their employees or even the visitors to bring any USB flash drives to the work place or enter the office premises. This is being implemented by IBM Company. The IBM global chief information security officer, Shamla Naidoo announced in 2018 to the IBM staff that they would no longer be able to use USB flash drives or any other portable data storage devices in the workplace. This is an effort done by IBM to minimize "possible financial or reputational damage" if the data was lost or misused [5].  Figure 2. The use of e-cigarettes among university students in Malaysia [7] Not only BYOD is being restricted in the workplace but there are some of the companies that banned the vape in the workplace. Is it due to the bad impact to the health or due to some other reasons? The reasons of why vape is banned in the workplace is because it can be used as a medium to attack the computer system. There are several ways in attacking the computer system by using the vape:  Attack a computer by interfering the network traffic  Fooling the machine into thinking the vape is a keyboard or mouse, according to Sky News.  The device can be loaded with malware  The device can be used to steal data

Literature Review on Electronic Smoking Devices
This section will discuss on three types of smoking devices selected based on the most frequent devices used by the smokers. The data gathered from the respondents of the questionnaires are as plotted in pie chart in figure 3.  figure 3, 46% of the respondents are using Vape followed by 20% e-cigarette and 11% using JUUL as the smoking devices.

E-Cigarette
E-cigarettes are generally designed to be like traditional cigarettes in terms of its physical design. Generally, the main components of the e-cigarettes include an aerosol generator, a flow sensor, a battery and a solution (or e-liquid) storage area as shown in figure 4. E-cigarettes can be classified as either disposable or reusable. The disposable units are not rechargeable hence no rechargeable batteries available and are usually not refillable. Commonly most of the e-cigarettes may have a light-emitting diode (LED) on the end. The LED will lights up when the user inhales, so that it just like simulating flame for the e-cigarette. The cartridge that is also called as e-liquid container commonly being separated from the aerosol or atomizer. However in the case where these atomizer and cartridge are combined, it is called as cartomizer. Normally the e-cigarettes have an aerosol generator with a metal or ceramic heating element coiled around a wick bundle [10].

Vape
Vape, also known as Vaporizers works in much similar ways as the e-cig does. In general, vapes are a bit larger in size than an e-cig and they tend to last longer because of their battery life. Vaporizers offers a variety of devices and vape juices available which attracts users giving them a broad range of  Figure 3 Smoking devices [14].

Figure 5.
The architecture of vape [15] Vapes utilize a rechargeable module combined with interchangeable e-fluid. The rechargeable battery warms a little component that thusly disintegrates the e-fluid in the gadget. Not at al like e-cigs however, most vapes utilize a tank to hold the e-fluid instead of a cartridge. As the tank gets low, or on the off chance that the user would need to change flavors, the user would have to include extra e-fluid of their desired flavor and nicotine solidarity to the tank. The overall components of vape is as shown in figure 5 [14].

JUUL
JUULs" growth of fame has been increasing since its launch in 2015. In terms of appearance, JUUL device looks like the same comparing to a USB flash drive and can even be used for charging in the USB port of a computer as shown in figure 6. JUUL device is different as compared to Vape and E-cigarettes. JUUL looks a lot more like a USB flash drive which makes it doubtful for grown-ups to remember them immediately as smoking devices. Hence, a threat for users to be hacked and that will be explained further below.  Figure 6 shows the components of JUUL. JUUL works quite like Vape. JUUL devices are battery operated and works by warming a case of e-fluid or "juice" that contains nicotine, flavorings and different synthetic substances. At this point, when warmed, the fluid makes an airborne or fume that clients breathe in. JUUL devices contain flavorings and 0.7mL e-fluid with 5% or 3% nicotine by weight. According to JUUL labs, it claims that the 5% JUUL devices contain the equivalent amount of nicotine as a pack of cigarettes [12] [13].

E-Cigarette and Vape Hackers
Hacking is the process of attempting to gain unauthorized access to computer system. The goal of hackers are varies depend on individual aims and objectives. Some hackers hacked the computer system due to financial gain, to test their skills, espionage, for fun, grudge and many other motives. Based on the result and analysis done by Verizon as shown in Figure 7 shows that financial gain is the main motive of the attackers and followed by espionage and other motives [1].

Figure 8.
Threats actor motives over time [1]. Figure 8 shows categories of hacker which are External, Internal and Partner. These categories of hackers may use any method to spread the malware or to steal the data. Commonly they may use any of devices that normal people will not have any suspicious on it. Using pen drive could obviously looks like someone is trying to transfer something from or to the computer system as everybody knows that pen drive is one of the data storage devices. However if somebody brought the vape device in the office most probably people will not suspect anything as vape is not being used to store data. So hackers from external, internal or the organization partner might use this kind of method in transferring malware to the target victim or stealing data from the target machine.

Types of USB Hacking
This section will discuss on some of the previous research in the area of using USB as an attack vector. USB flash drives are one of the common storage devices that are exploitable due to the "BadUSB" vulnerability. Several kind of attack can be done by using BadUSB attack such as [3]:  Redirect the user's DNS queries to an attacker's DNS server.  Configure a Teensy USB microcontroller to install a backdoor and change the DNS settings of an unlocked machine.  Kautilya, the human interface device (HID) tool that has functionality like information gathering and script executions which leads to hacking the victim machine. Nowadays all the hacking activities can be learnt from the youtube and the GitHub. The BadUSB code is available in GitHub, hence those with sufficient knowledge can hack the USB device in a similar way.
Vape or any other electronic smoking devices can be used as a medium in spreading malware or stealing information from the victim computer system. Small modification need to be done to the electronic smoking devices such as vape to add small chip into the device. This small chip functionality is to transform the vape into a digital lock-pick that can lead to access to the system that targeted. This minor modification is actually to fools a computer so that any devices attached to the USB drive, the computer system will detect it as a peripheral device such as keyboard or mouse has been attached to it. Due to this the computer system will drop its guard mechanism. Hence the hacker can use their vape to inject the malicious code to the computer system by plugging into the victim computer. The malicious code may infected all the files or may control the victim machine to download hackers" target file or even steal private information [4]. However, the minor modification to the vape only can allocated limited space to host the malware code, hence vape is used as a source of malicious payloads for the machines. Researchers in cyber security had listed 29 different types of attacks using USB port. Figure 9 shows four categories to classify each of the 29 type based on what the attack is targeting and how it has been built. Figure 10. Types of Attacks using USB Port [11] USB devices are not only used to target software, but as it is shown in the Figure 9, one of the attacks is USB Killer which might cause a permanent damage to the device by making electrical surcharge once the USB is inserting.

USB Attack tools
Moreover, malware coding is not memory consuming, even the attacks that made disaster and cost millions -such as WannaCry-are carried out by very small size not exceeding few megabytes or even kilobytes. This fact is actually makes the threat easily being spread by modifying the electronic smoking device and insert a very small memory that is enough to carry out the malware file.

Analysis on Public Awareness on Vape as a Tool of Hacking
Online questionnaire was prepared and distributed to the random people in Malaysia. The survey gathered responses from 54 sample of smokers in Malaysia.  Figure 10 shows that 52% of respondents start smoking within the age of 19 to 24 years old, 41% within the age of 25 -40 years old and 7% within 12 -18 years old. High percentage of the smokers start smoking within the age of 19 -24 years due to several influence factors such as influenced by family members, friends, following the current trend of modern life style. This can be supported with the survey done and as shown in figure 11.  Figure 11 shows that high percentage (53.7%) of respondents smoking due to influenced by friends and followed by 33.3% due to as a way to release tension. Only low percentage of the smokers smoking due to following the trend or just want to try something new. Surprisingly 0% influenced by the family members. Figure 12 shows several reasons on why certain organization banned smoking devices in workplace. Based on survey conducted 54% of respondents believe that the organization banned the electronic devices in workplace due to the health concern by the employer while 48% said that due to government regulation and 13% due to loss of work time due to smoking activities. However, 28% of respondents thought that it is due to employee discomfort and illness from second-hand smoke that make the organization banned the smoking devices in the premise. Small percentage which is 11% believe that it will reduce the employee moral and only 4% gave other reasons such as never heard of such ban in organizations in Malaysia  figure 13, majority of the respondents were not aware that smoking devices able to transmit the malware to the computer system. This is most probably due to lack of knowledge or the respondents are not in the area of cybersecurity. Based on data gathered and tabulated in figure 14 shows that 44% of respondents are not interested to explore their smoking device, 20% plan to do so but no time, 24% interested to know in detail of the architecture of the smoking device but just explore it through the available website. 11% of respondents were dissemble their electronic device and nobody really did modification to their smoking devices.

Computer System protection from Vape Hackers or USB Attacks
USB port need to be protected to ensure that no data leak to the external drive or to the vape hackers. This section will discuss in detail on how to protect the computer USB port from any unauthorized party that trying to steal the data or distributing the malware through the USB port. One of the ways to protect the files or data from being transferred to the external drive illegally by unauthorized party is to restrict the USB interface on the PC by implementing authentication [8].  Figure 16. System that encrypt file that transmitted through the USB port [8] Besides that, auto encryption can be implemented where any files transmitted to the external drive through the USB port will be auto encrypted. This is to ensure the confidentiality of the data. Only authorized party able to decrypt back the data.
In verification process that done by authentication server, the first process done by the system as shown in figure 15 is to generate a session key. This session is to encrypt the data that going to be transmitted to USB storage so that whatever files that transmitted to USB will be encrypted. After all the transmission are successful, USB access will be restricted until the next verification succeeds. However, to decrypt the files user needs to the verification that have done by having the same session key to pass the verification[8].
Furthermore, there are a numerous of software that able to secure ports with more features to enhance security like add password, change the USB block setting and keep USB port on read only. One of example of these securing ports is a tool that can implement all security features which is Gilisoft USB Lock as shown in figure 16. Gilisoft is a software that easily can be used to protect ports from the vape hacker. The features of Gilisoft is able to block USB ports and SD discs, password protection that able to prevent any