Most of us know by now that if you spot a random USB thumb drive sitting on the ground, you should ignore it, or better yet, put in the nearest trashcan. This action was an early plot point in the TV series Mr. Robot. I even saw a poster at Checkpoint’s Tel Aviv headquarters when I visited there in January warning employees to dispose of such drives when found on their campus.
But still, human nature gets the better of us sometimes. A recent academic paper shows just how tempting that drive can be for college students at the Universities of Michigan and Illinois. The study found that out of 300 drives that were sprinkled around the various campuses, at least half were retrieved and inserted into computers. In some cases, the drives were inserted within a few minutes of being left.
These drives contained special code that would “phone home” and alert the researchers that they were found, but they could have contained more dangerous malware. Which is the point of this depressing exercise.
What is interesting about the paper was the lengths that the researchers went to understand their target’s motivations and rationale for picking up the drives in the first place. They were asked to complete a survey (paying them $10 to complete, after all, these are college students). Two thirds of them said they took no precautions before connecting them to their computers.
They also tested the time of day, location, and branding of the drive itself to see if these factors made them more or less likely to be retrieved. For branding, the researchers attached a “confidential” sticker, a return address label or keys to see if that made a difference. Interestingly, the return address label actually reduced insertion rates. The researchers also monitored Facebook and Reddit to see if any students posted warnings about the proliferation of drives around campus. Despite several postings and the fact that word spread on these networks quickly during the experiment, the drives were still retrieved.
This isn’t the first, and certainly won’t be the last such study. Several years ago, the Department of Homeland Security found that 60% of folks who found drives planted outside government buildings tried them out, and this percentage increased to 90% when the drives had a logo on them indicating some sort of official use. And last fall, a study commissioned by the trade group CompTIA found that 20% of 200 drives that were sprinkled across five cities were retrieved.
Certainly, there are some drives that are truly evil, such as this drive reported by Gizmodo that will literally cook your motherboard. Or the infamous Rubber Ducky drive used by penetration testers.
Bruce Schneier complained about this meme years ago, and wrote in a blog post:
“The problem isn’t that people are idiots, that they should know that a USB stick found on the street is automatically bad and a USB stick given away at a trade show is automatically good. The problem is that it isn’t safe to plug a USB stick into a computer. Quit blaming the victim. They’re just trying to get by.”
Certainly, better and more security education would be a good idea. The college survey found that students perceived the files on the flash drive as being safer because they used .html extensions. Uh, not quite. But there is some hope: a few students were suspicious and actually used a text editor to open these files and connect them to offline computers.