Experiment Finds Half Of ‘Lost’ USB Sticks Will Be Plugged In

Security researcher Elie Bursztein has revealed the details of a social experiment involving the humble USB stick at this year’s Black Hate USA security conference.

Bursztein and researchers from the University of Illinois Urbana-Champaign, University of Michigan and Google dropped 297 USB drives with phone-home capabilities on the University of Illinois Urbana-Champaign campus.

Social Experiment

And it seems that people finding these “lost” USB sticks were more than happy to plug them into their computers, despite the obvious security risk.

“Despite the dangers of hackers, viruses and other bad things, almost half of those who found one of our flash drives plugged it into a computer,” Bursztein was reported as saying.

The researchers found that 48 percent of drives were picked up and plugged into a computer with the user clicking on files. The documents had names such as “final exam” or “spring break pictures.”

As this was an experiment, there was no nasty payload associated with these documents, but rather when a user double-clicked on the document, he or she was connected to an email survey. 68 percent of respondents said they clicked on the file so they could help return the USB to its rightful owner.

Another 18 percent admitted they were curious about the document contents.

It is not uncommon nowadays to come across misplaced USB sticks.

Indeed, earlier this year security firm ESET found that dry cleaning shops were a haven for forgotten devices. It discovered over 22,000 USB sticks were left in the pockets of clothing sent to Britain’s dry cleaners during 2015.

Rach dry cleaner it survey found four USB sticks each on average, alongside other valuable items such as mobile phones.

Booby-trapped USB

Bursztein meanwhile took the opportunity to demonstrate to Black Hat attendees the dangers of plugging in a randomly found USB stick, after he created a malicious USB drive that contained a nasty surprise.

Instead of being a storage device, his USB stick hosted a HID (human interface device) to give attackers almost instant control of the victims’ PC or Mac, so long as it was connected to the Internet.

Bursztein cast a new USB housing using silicon molds and model resins, and inserted a USB connector and a small development board (Teensy 3.2) at a cost of just $40 (£30). This rogue USB stick contained a payload that was made up of a reverse TCP shell that connected back to a server chosen by the attacker.

He even built-in capabilities to avoid AV and firewall defences, and his creation worked on both Windows PCs and Apple Macs. He is still developing the malicious USB stick, and is seeking to add a GSM/Wi-Fi module and storage capabilities in future prototypes.

The dangers of rogue USB sticks are well documented. Last year a Russian security researcher called ‘Park Purple’ created a USB stick that could literally kill a computer.

Rather than use sophisticated malware to destroy its target, the stick instead sent a 220 volt charge through the signal lines of the USB interface, effectively killing the computer within seconds.

Are you a security pro? Try our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

5 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

8 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

9 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

10 hours ago