People are still plugging in USB sticks scattered around parking lots, a study has confirmed.
The researchers from the University of Illinois decided to test what they call the “anecdotal belief” that people pick these things up and plug them in, so they dropped 297 drives on the school’s campus last year.
Sure enough, they found that if there were real malware on these drives, it would have been successful at infecting those users who plug them in. The success rate fell between 45% and 98%, as they describe in a paper titled “Users Really Do Plug in USB Drives They Find“.
They also found that a USB drive infection would take root very quickly: the first drive phoned home to the researchers in less than 6 minutes after it was placed.
Multiple security researchers have already determined that people do this, of course.
One of the more recent experiments was done by CompTIA, which littered four US cities – Chicago, Cleveland, San Francisco and Washington, D.C. – with 200 unbranded, rigged drives, leaving them in high-traffic, public locations to find out how many people would do something risky.
The nearly one out of five users who plugged in the drives in CompTIA’s study proceeded to engage in several potentially risky behaviors: opening text files, clicking on unfamiliar web links or sending messages to a listed email address.
The numbers get even worse in the University of Illinois study: at least 48% of the booby-trapped drives were picked up and plugged into a device before somebody then opened files stored on the drive.
While slightly less than half of the drives were plugged in, nearly all of them – 98% – were moved from their original drop location.
The researchers don’t actually know if the 155 drives that were moved but didn’t have their files opened were plugged in or not. Somebody might have picked up a drive, plugged it in and refrained from opening a file, or they might not have connected it at all.
That big “don’t know” shadow is how they pegged the attack’s success rate at between 45–98%.
The university students and staff who connected the drives weren’t rated as being particularly risk-prone, with the exception of recreational risk (because college students, one assumes?) and, well, the tendency to plug in mysterious flash drives.
Still, the majority of them – 68% – took no precautions with the sticks.
The researchers know this because they presented their subjects with a short survey after they opened files on the drives. The subjects who at least tried to protect themselves took these steps, though the researchers said they did so ineffectually:
- 16% scanned the drive with their anti-virus software.
- 8% believed that their operating system security features would protect them, e.g., “I trust my MacBook to be a good defense against viruses”.
- 8% sacrificed a personal computer or used university resources to protect their personal equipment.
In 2011, Sophos studied 50 USB keys bought at a major transit authority’s Lost Property auction, finding that 66% of them – 33 – were infected.
Obviously, lost flash drives carry risk both to the finder and to employers: somebody who picks up a rigged drive can spread infection onto not only their own devices, but also onto his or her company’s systems in these days of bring your own device (BYOD).
Those that aren’t placed by security researchers or miscreants trying to plant malware also carry the risk of compromised data, of course – most particularly given that flash drives are rarely encrypted.
Sophos found that in studying those 50 USB keys: not one of the batch was encrypted. Nor were their files password-protected.
How do you keep your data safe and your systems uninfected when dealing with these matchbox-sized threat vectors? Here are a few tips:
- Encrypt personal and business data before you store it on a USB key so it can’t be accessed if you drop the drive.
- Use security software, and keep it up to date. An infection rate of 66% means there are a lot of malware-spreaders out there.