Here is a scenario for you: You are walking around, catching Pokémon, getting fresh air, people-watching, taking Fido out to do his business, when something catches your eye. It’s a USB stick, and it’s just sitting there in the middle of the sidewalk.
Jackpot! Christmas morning! (A very small) lottery win! So, now the question is, what is on the device? Spring Break photos? Evil plans to rule the world? Some college kid’s homework? You can’t know unless…
Stop right there. If you found yourself in this scenario, what would you do? Would you plug in the drive or just toss it in the nearest trash can? If you would plug it in, you are not alone — although you really should not do that. This week at Black Hat, Elie Burztein gave a presentation showing the results of a little social experiment his team conducted. They dropped 297 USB sticks around the University of Illinois campus (with permission from the university, of course). The sticks contained a harmless script that simply alerted the researchers if someone inserted the device into a computer, and it gave them time and location information.
The results were illuminating: 48% of the USB sticks were plugged into a computer, most within 10 hours of being picked up. Surprisingly, 68% of the people who picked up the sticks and plugged them in said (in a survey following the test) that they were looking to get them back to the rightful owner — humanity prevails! (Although, these may be the good intentions the road to hell is paved with.)
Now, here’s the upshot: If you find yourself in a situation like the University of Illinois students and find a USB stick sitting on your front steps, you really should leave it alone. Sure, you might be able to see someone’s racy photos or tax returns, but you might instead be targeted by a criminal. Burztein was conducting research and had no malicious intent. The script on the USB sticks was benign, and the test was conducted responsibly. The same cannot be said for the USB stick sitting in front of you.
Inserting the device could cause serious damage: It might give an attacker access to your computer and track keystrokes (including passwords). It could infect your computer with ransomware.
From a cybercriminal’s point of view that’s a good deal: The amount of money on your credit card that the key logger could steal, or the ransom that the cryptor would demand, is certainly quite a bit more, than the cost of a USB stick. And given a 48% pick-up rate, that seems like a rather profitable business for the bad guys. Rewind … You found a USB device on the sidewalk. Do you insert it? Better question — how much are you willing to risk?