Have you ever found a USB drive left behind in a restaurant or parking lot, or perhaps a library? Did you pick it up and plug it into your computer in order to find a way to return it? Among the cybersecurity community, there is anecdotal evidence that many people, whether behaving altruistically or due to social engineering, will indeed plug a found USB drive into their computer, exposing themselves (and potentially entire systems) to cyberattack.
But does does this kind of attack actually work or is it merely a myth? To put this attack to the test, researchers from the University of Illinois-Urbana Champaign and the University of Michigan, along with Google anti-abuse & security researcher +Elie Bursztein
, dropped nearly 300 USB sticks on the University of Illinois Urbana-Champaign campus and measured who plugged in the drives.
They found that users picked up, plugged in, and clicked on files in 48% of the drives dropped. Furthermore, users did so quickly: the first drive was connected in under six minutes! Head over to Elie's blog, where he summarizes the study, highlights the key findings, looks at what motivates people to plug in USB sticks, and discusses possible mitigations to improve USB security.