5.05.2016

Good Samaritans and Bad USB Drives

Don't trust tramps found on the street; use protection or risk infection


It’s a common scenario. You happen to find a USB in a computer lab or a parking lot, and with the intent to return it to its owner, you plug it in. You open it in your file browser of choice and start opening files, hoping to figure out who would be careless enough to leave it behind. What many such people fail to consider is the risk that an unknown USB device brings.

A recent study at the University of Illinois dropped 297 USB drives around the school’s Urbana campus. The researchers found that if malware had been installed on these drives, all those who plugged them in would have been infected. The drives contained files which phoned home when opened, and the first abandoned drive phoned home less than 6 minutes after being dropped. In the end, the researchers knew that 48% of the drives were plugged in and had their files opened.

"The first abandoned drive phoned home less than 6 minutes after being dropped."

Users who plugged in the sticks were presented a short survey, which found that 68% of the users took no precautions when accessing the drives. 16% scanned the drive with anti-virus software, 8% believed their operating system features would protect them, and 8% sacrificed a personal computer of university resource to protect their own equipment. (How considerate) 

These are scary statistics. Abandoned USB drives are an increasingly common attack vector for hackers, especially in otherwise difficult to access areas. After all, any USB drive in a government parking lot has to have something interesting on it, right?

There are a few potential solutions to this problem, but I believe it starts with user education. Although returning a USB drive may be the right thing to do, it is rarely the best thing to do.

Anything from malware to illegal material can be on an abandoned drive, and they may suffer the consequences of causing a data breach or possessing illicit material. These days every organization needs to have clear policies outlined for the use of USB devices. It is increasingly common for USB drives to be prohibited entirely in government and health care offices.

If a policy is not in place, I hope that users don’t go opening files at random hoping to find full contact details and promises of a reward. Instead, they should place a suspect thumb drive in a lost-and-found or even better, bring it to their IT department. Their IT department should have ways of dealing with an unknown USB device, such as write-blockers (like these USB condoms) or sandbox programs. Or maybe they’ll “get right on it” and send it to the recycle bin.

For anyone who would like to read the full paper, it can be found here.