On top of the obvious damage to your lungs, heart, and brain, your “cool” smart vape can also be used to spy on you. Apparently, to such an extent that the US government is calling it a threat to national security.
-
Smart vapes have evolved far beyond simple e-cigarettes, and are now available with OLED screens, Bluetooth connectivity, notifications, and more.
-
US Senate Republicans are warning that Chinese smart vapes pose a national security threat, as these devices may initiate data breaches, install malware, and collect sensitive user data.
-
Cybersecurity researchers have confirmed that vapes can be hacked. They learned that while basic vape models have limited attack potential, devices with Bluetooth or WiFi expand these capabilities.
-
The US government is already cracking down on illegal Chinese vapes, seizing over 2 million illicit vaping products in a 2024 nationwide sweep across seven states.
"These devices have the capacity to initiate data breaches or malware infections and can also access and collect sensitive user data," a group of Senate Republicans recently warned the Trump administration in a letter first obtained by Fox News.
There has been a surge in the use of “smart vapes,” which can not only be used as e-cigarettes but also allow users to play games, access their calls and messages, and even track their fitness achievements.
The group of Republicans said that illicit Chinese e-cigarettes are flooding the US market, and they are worried that these devices might be used as spying devices.
Politicians have already warned the US Treasury Secretary, Scott Bessent, and the US Trade Representative, Jamieson Greer, about the situation. They allege that China’s State Tobacco Monopoly Administration (CSTMA) may be connected to the Chinese Communist Party (CCP), opening the Chinese government a backdoor into the Americans’ data and raising national security concerns.
The US government officials believe that these vapes can be used to connect to smartphones, thus making it possible to start a data breach, infect the device with malware, or collect personal data.
E-cigarette authorization in the US
- The US government has already been working on taking down the supply of Chinese vapes in the country.
- At the beginning of 2020, the Trump administration issued a partial ban on flavored, cartridge-based e-cigarettes, including those that came from China.
- More than 2 million illicit vaping products were taken during a “nationwide sweep,” which took place in seven states, reported the US Justice Department last September.
- The US Food & Drug Administration (FDA) has also issued an updated list of 39 e-cigarettes that can be legally sold in the US. Those include tobacco and menthol flavors for pod-based systems.
Hacking into a smart vape
Health professionals have been talking about the risks smoking poses for years, and now the government is applying rules that would limit the amount of these devices being sold.
While in general, smoking is already a habit that is hard to quit, using a vape that also includes multiple other functions would be even harder to let go of.
The latest smart vapes let users play games, view their calendar, customize their wallpaper, use a flashlight or a stopwatch, and more. Some vapes come with features similar to those found in smartwatches, such as heart rate tracking, step counting, and calorie burn.
The price of a smart vape ranges from $15 to $60. For example, users can get a vape with OLED display and Bluetooth connectivity, which allows them to receive calls and text notifications, with up to 30,000 puffs for $20.
The conversation on this topic is live. Join in the discussion.
It’s already been established that it’s possible to hack a vape, usually not for sinister reasons, but rather out of curiosity and the wish to turn it into something else rather than e-waste.
At least, that was the reason for Will McCardell and the team from Praetorian, an offensive cybersecurity company, who took time to hack a Raz DC25000 vape during Hack Space Con 2025.
In the blog post, the author shared how their interest was piqued by a vape with a screen and a USB-C charging port.
This is when they decided to pull it apart and hack with the tools they had on-site. At the end of their experiment, the team learned that their initial idea of delivering malware through the device wasn’t possible, but it could still be hackable via the USB-C connection.
Nevertheless, different results can be achieved with a vape that includes Bluetooth or WiFi connectivity, McCardell explained to Cybernews.
The idea behind the vape disassembly was to see whether it’s possible to interact with the computer within the device.
“We were especially interested in seeing if that USB port on the vape had the ability to talk to a device that was plugged into it. Normally, it costs additional money to add that capability,” noted the expert.
Yes, your vape can send data to other locations
After taking it apart, the team found that it didn't support any standard language for transferring data from the vape to another machine. This is when they realized that it probably can’t be used to install malware.
The vape that was disassembled through reverse engineering was a simple one, so it didn’t include Bluetooth or WiFi connection.
Nevertheless, the expert noted that “things get a little more interesting” when a vape includes this type of connectivity, as it can then “interact more freely with the world around it,” which is essentially how any other device works.
“It's technically feasible that if you have an app that talks to a Bluetooth, the vape could communicate with the app, and the app, send data to other locations,” explained the expert.
So, when it comes to using vapes as spying devices, the expert notes that “there are better ways to accomplish these goals.” However, this doesn’t eliminate the fact that they can be used for this purpose.
Endless Bluetooth possibilities?
While it can only be speculated whether knowing that a vape could put your other device and data at risk would deter you from buying one, McCardell also gave insight into how Bluetooth connections can be used to spoof users.
At first, the expert explained that most Bluetooth devices, if they're not paired to something, will advertise their presence about a few times a second. This is how they connect with each other by advertising their availability. With that, it also advertises its address, which encodes information about the manufacturer.
“If you store that list, like if you open a Bluetooth, if you purchase a Bluetooth sniffer and open it, you will see all sorts of manufacturers around you, likely mostly Microsoft, Google, Amazon, and Apple,” explained McCardell, giving an insight into what info could be gathered from Bluetooth alone.
He also shared that a few years ago, at a conference, someone found out you could just spoof Apple's Bluetooth commands to pop up the thing that says, “Do you want to connect to XYZ TV?”, or “Do you want to send your credentials to XYZ Apple TV?” If a person agreed to do so, nothing happened.
The reason was that someone was using Bluetooth to spoof.
“Even if it was generally Apple's implementation, I believe it wouldn't have really been at risk. It was just really alarming to be at a hacker conference and suddenly see ‘You want to send your credentials to a TV’? that you can't see,” noted the expert who thinks this could be used as a tactic to cause panic.
Causing disruption is one threat from Bluetooth spoofing, but it also poses significant security risks, allowing attackers to trick users into pairing with the wrong devices. After this, the attackers can then eavesdrop on the user’s audio, download malware, collect metadata, and more."Hacking"
FAQ about smart vape security
Can vaping devices be used to hack computers?
Vaping devices have been shown to pose potential cybersecurity threats. E-cigarettes that charge via USB can be modified with hidden hardware that allows them to interfere with network traffic or deceive computers into believing they are legitimate devices or add-ons, such as a keyboard.
How do vape-based hacking attacks work?
In this case, a vape serves as an intermediate that can transfer malware to a device.
Modified e-cigarettes can contain concealed hardware that exploits USB connectivity. These devices can be programmed to intercept network traffic, deliver malware, or gain unauthorized access by impersonating trusted input devices.
What vulnerabilities do vaping devices pose to network security?
Besides messing with personal devices and users’ data, it can also compromise broader network security, particularly in workplace or institutional settings where USB charging is common.
How to protect your devices from vape-based hacking?
- Buy vape devices only from authorized sources.
- Avoid charging the vape via computer USB ports – use wall adapters or dedicated charging stations instead.
- Avoid plugging unknown or borrowed vaping devices into your computers or network systems.
- Install USB data blockers between your vaping device and your computer's USB port.
FAQ by nexos.ai, reviewed by Cybernews staff.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked