Is it safe to install a pen drive that you find on the roadside directly in your system

The recent phenomenon of people finding found thumb drive “sticks” in various places, only to have terrible consequences like locked-up PCs causes us to speak out. We did some research on the matter and combined it with some of our own advice, which is: don’t ever pick up found USB drives – for some very common-sense reasons.

An Experiment in Gullibility

In a quite interesting experiment (in gullibility or stupidity), researchers randomly deposited 297 USB drives (aka USB stick, flash drive, thumb drive) around the University of Illinois Urbana-Champaign campus. They wanted to see just how many, and how soon after dropping them off, they’d be picked up by people.

Turns out that 48 percent of the drives were taken and inserted into computers. The report at TheRegister.co.uk says that in some cases, this was done minutes after the drives were left in the public spots.

Picking up a USB drive off the street and plugging it into your computer is akin to picking up discarded food off a sidewalk and eating it. You just never know what kind of infection you’re going to get.

And what you might get is a virus crashing your computer or stealing your data. That USB stick could contain malware—either left in public as a prank or innocently lost or discarded without the original owner knowing it’s infected.

Or…it might have been left in a public spot by a hacker with the full intent of gaining control of your computer to collect your personal data and committing fraud, such as opening lines of credit in your name or emptying out your bank account.

The USB sticks for the study contained HTML files with embedded img tags. The tags allowed the researchers to track the USB activity, which is how they knew that, for instance, one of them was plugged into a computer only six minutes after it was left to be “found.”

Only 16 percent of the people who picked up the sticks actually scanned them to check for viruses before plugging them into their computers. And 68 percent simply inserted them without any regards to what they could get transferred into their computers.

To wit:

• Some users trusted that there was no harm.
• Some plugged in the drive to seek out the owner.
• Some intended to keep the stick.

The Takeaway: A cybercriminal could easily take control of a business’s system by leaving a rigged USB drive in the parking lot, let alone get control of a personal computer by leaving the stick in any public place frequented by lots of people.

Nearly Half of Found USB Sticks Will Get Plugged In

People are still plugging in USB sticks scattered around parking lots, a new study has confirmed.

This time, the researchers hail from the University of Illinois. They decided to test what they call the “anecdotal belief” that people pick these things up and plug them in, so they dropped 297 drives on the school’s Urbana-Champaign campus last year.

Sure enough, they found that if there were real malware on these drives, it would have been successful at infecting those users who plug them in. The success rate fell between 45% and 98%, as they describe in a paper titled “Users Really Do Plug in USB Drives They Find“.

They also found that a USB drive-inflicted infection would take root very quickly: the first drive phoned home to the researchers in less than 6 minutes after it was placed.

Multiple security researchers have already determined that people do this, of course.

One of the more recent experiments was done by CompTIA, which littered four US cities – Chicago, Cleveland, San Francisco and Washington, D.C. – with 200 unbranded, rigged drives, leaving them in high-traffic, public locations to find out how many people would do something risky.

The nearly one out of five users who plugged in the drives in CompTIA’s 2015 study proceeded to engage in several potentially risky behaviors: opening text files, clicking on unfamiliar web links or sending messages to a listed email address.

The numbers get even worse in the University of Illinois study: at least 48% of the boobytrapped drives were picked up and plugged into a device before somebody then opened files stored on the drive.

While slightly less than half of the drives were plugged in, nearly all the found USB flash drives – 98% – were moved from their original drop location.

The researchers don’t actually know if the 155 drives that were moved but didn’t have their files opened were plugged in or not. Somebody might have picked up a drive, plugged it in and refrained from opening a file, or they might not have connected it at all.

Perhaps they were just helping to beautify the area by picking up trash.

That big “don’t know” shadow is how they pegged the attack’s success rate at between 45–98%.

The university students and staff who connected the drives weren’t rated as being particularly risk-prone, apart from recreational risk (because of college students, one assumes?) and, well, the tendency to plug in mysterious flash drives.

Still, most them – 68% – took no cybersecurity precautions with the found USB sticks.

The researchers know this because they presented their subjects with a short survey after they opened files on the drives. The subjects who at least tried to protect themselves took these steps, though the researchers said they did so ineffectually:

• 16% scanned the drive with their anti-virus software.
• 8% believed that their operating system security features would protect them, e.g., “I trust my MacBook to be a good defense against viruses”.
• 8% used another device, like university resources to protect their personal equipment.

In 2011, Sophos studied 50 USB keys bought at a major transit authority’s Lost Property auction, finding that 66% of them were infected.

Obviously, lost flash drives carry risk both to the finder and to employers: somebody who picks up a rigged drive can spread infection onto not only their own devices but also onto his or her company’s systems in these days of bringing your own device (BYOD).

Those that aren’t placed by security researchers or miscreants trying to plant malware also carry the risk of compromised data, of course – most particularly given that flash drives are rarely encrypted.

Sophos found that in studying those 50 USB keys, not one of the batch was encrypted. Nor were their files password-protected.

[Source credits: NakedSecurity.com and FinExtra.com]

Cyber Security Begins with Common Sense

So. how do you keep your data safe and your systems uninfected when dealing with these tempting threat scenarios?

Here are a few tips:

• Encrypt personal and business data before you store it on a USB key, so it can’t be accessed if you drop the drive;
• Use security software, and keep it up to date. An infection rate of 66% means there are a lot of malware-spreaders out there;
• And finally, let’s stop victim-blaming when it comes to USB finders who make the unfortunate decision to plug them in somewhere and just get our heads into common sense, shall we?

CCS computer support services can give you all the computer help, tech tips, and cyber security services you may need, along with our cybersecurity training, auditing, and controls.

We also specialize in Apple and Mac support.

So, put down that found USB drive (if you’re so inclined), and get your head into more sound cybersecurity policies – for individuals and businesses alike.

Leave Found USB Drives Alone and Pick Up the Phone (if Necessary)

Just call us at (719) 439-0599 or contact us online to learn more about found USB flash drives and sound cybersecurity policies, and we can get you started with the best cybersecurity services in Colorado for your business.

Is it safe to install a pendrive that you found on the roadside directly in your system?

Is it safe to insert a pen drive that you find on the parking lot directly in your office laptop?

Should I plug in a USB I found?

How do I make sure my USB is safe?