Almost half of dropped USB sticks will get plugged in

This time, the researchers hail from the University of Illinois. They decided to test what they call the “anecdotal belief” that people pick these things up and plug them in, so they dropped 297 drives on the school’s Urbana-Champaign campus last year.

Sure enough, they found that if there were real malware on these drives, it would have been successful at infecting those users who plug them in. The success rate fell between 45% and 98%, as they describe in a paper titled “Users Really Do Plug in USB Drives They Find“.

They also found that a USB drive-inflicted infection would take root very quickly: the first drive phoned home to the researchers in less than 6 minutes after it was placed.

Multiple security researchers have already determined that people do this, of course.

One of the more recent experiments was done by CompTIA, which littered four US cities – Chicago, Cleveland, San Francisco and Washington, D.C. – with 200 unbranded, rigged drives, leaving them in high-traffic, public locations to find out how many people would do something risky.

The nearly one out of five users who plugged in the drives in CompTIA’s study proceeded to engage in several potentially risky behaviors: opening text files, clicking on unfamiliar web links or sending messages to a listed email address.

The numbers get even worse in the University of Illinois study: at least 48% of the boobytrapped drives were picked up and plugged into a device before somebody then opened files stored on the drive.

While slightly less than half of the drives were plugged in, nearly all of them – 98% – were moved from their original drop location.

The researchers don’t actually know if the 155 drives that were moved but didn’t have their files opened were plugged in or not. Somebody might have picked up a drive, plugged it in and refrained from opening a file, or they might not have connected it at all.

That big “don’t know” shadow is how they pegged the attack’s success rate at between 45–98%.

The university students and staff who connected the drives weren’t rated as being particularly risk-prone, with the exception of recreational risk (because college students, one assumes?) and, well, the tendency to plug in mysterious flash drives.

Still, the majority of them – 68% – took no precautions with the sticks.

The researchers know this because they presented their subjects with a short survey after they opened files on the drives. The subjects who at least tried to protect themselves took these steps, though the researchers said they did so ineffectually:

• 16% scanned the drive with their anti-virus software.
• 8% believed that their operating system security features would protect them, e.g., “I trust my MacBook to be a good defense against viruses”.
• 8% sacrificed a personal computer or used university resources to protect their personal equipment.

In 2011, Sophos studied 50 USB keys bought at a major transit authority’s Lost Property auction, finding that 66% of them – 33 – were infected.

Obviously, lost flash drives carry risk both to the finder and to employers: somebody who picks up a rigged drive can spread infection onto not only their own devices, but also onto his or her company’s systems in these days of bring your own device (BYOD).

Those that aren’t placed by security researchers or miscreants trying to plant malware also carry the risk of compromised data, of course – most particularly given that flash drives are rarely encrypted.

Sophos found that in studying those 50 USB keys: not one of the batch was encrypted. Nor were their files password-protected.

How do you keep your data safe and your systems uninfected when dealing with these matchbox-sized threat vectors? Here are a few tips:

1. Encrypt personal and business data before you store it on a USB key so it can’t be accessed if you drop the drive.
2. Use security software, and keep it up to date. An infection rate of 66% means there are a lot of malware-spreaders out there.

Finally, as security expert Bruce Schneier has suggested, let’s stop victim-blaming when it comes to USB finders-keepers-plugger-inners.

After all, people mean well when they plug the keys in, by and large. The researchers found that most people who poked around in the drives’ files were actually trying to find contact information so they could return the keys to their original owners.

And as Schneier says, which is more idiotic: plugging in a potentially malware-laced USB key, or designing them to be this dangerous?

People get USB sticks all the time. The problem isn’t that people are idiots, that they should know that a USB stick found on the street is automatically bad and a USB stick given away at a trade show is automatically good. The problem is that the [operating system, (OS)] trusts random USB sticks. The problem is that the OS will automatically run a program that can install malware from a USB stick. The problem is that it isn’t safe to plug a USB stick into a computer.

Quit blaming the victim. They’re just trying to get by.

Image of lost USB drive courtesy of Shutterstock.