Skip to content
Lost USB. Image courtesy of Shutterstock.
Naked Security Naked Security

Almost half of dropped USB sticks will get plugged in

Researchers sprinkled a campus with thumb drives and found that almost half of them were plugged in and had files opened - risky business!

People are still plugging in USB sticks scattered around parking lots, a new study has confirmed.

This time, the researchers hail from the University of Illinois. They decided to test what they call the “anecdotal belief” that people pick these things up and plug them in, so they dropped 297 drives on the school’s Urbana-Champaign campus last year.

Sure enough, they found that if there were real malware on these drives, it would have been successful at infecting those users who plug them in. The success rate fell between 45% and 98%, as they describe in a paper titled “Users Really Do Plug in USB Drives They Find“.

They also found that a USB drive-inflicted infection would take root very quickly: the first drive phoned home to the researchers in less than 6 minutes after it was placed.

Multiple security researchers have already determined that people do this, of course.

One of the more recent experiments was done by CompTIA, which littered four US cities – Chicago, Cleveland, San Francisco and Washington, D.C. – with 200 unbranded, rigged drives, leaving them in high-traffic, public locations to find out how many people would do something risky.

The nearly one out of five users who plugged in the drives in CompTIA’s study proceeded to engage in several potentially risky behaviors: opening text files, clicking on unfamiliar web links or sending messages to a listed email address.

The numbers get even worse in the University of Illinois study: at least 48% of the boobytrapped drives were picked up and plugged into a device before somebody then opened files stored on the drive.

While slightly less than half of the drives were plugged in, nearly all of them – 98% – were moved from their original drop location.

The researchers don’t actually know if the 155 drives that were moved but didn’t have their files opened were plugged in or not. Somebody might have picked up a drive, plugged it in and refrained from opening a file, or they might not have connected it at all.

That big “don’t know” shadow is how they pegged the attack’s success rate at between 45–98%.

The university students and staff who connected the drives weren’t rated as being particularly risk-prone, with the exception of recreational risk (because college students, one assumes?) and, well, the tendency to plug in mysterious flash drives.

Still, the majority of them – 68% – took no precautions with the sticks.

The researchers know this because they presented their subjects with a short survey after they opened files on the drives. The subjects who at least tried to protect themselves took these steps, though the researchers said they did so ineffectually:

  • 16% scanned the drive with their anti-virus software.
  • 8% believed that their operating system security features would protect them, e.g., “I trust my MacBook to be a good defense against viruses”.
  • 8% sacrificed a personal computer or used university resources to protect their personal equipment.

In 2011, Sophos studied 50 USB keys bought at a major transit authority’s Lost Property auction, finding that 66% of them – 33 – were infected.

Obviously, lost flash drives carry risk both to the finder and to employers: somebody who picks up a rigged drive can spread infection onto not only their own devices, but also onto his or her company’s systems in these days of bring your own device (BYOD).

Those that aren’t placed by security researchers or miscreants trying to plant malware also carry the risk of compromised data, of course – most particularly given that flash drives are rarely encrypted.

Sophos found that in studying those 50 USB keys: not one of the batch was encrypted. Nor were their files password-protected.

How do you keep your data safe and your systems uninfected when dealing with these matchbox-sized threat vectors? Here are a few tips:

  1. Encrypt personal and business data before you store it on a USB key so it can’t be accessed if you drop the drive.
  2. Use security software, and keep it up to date. An infection rate of 66% means there are a lot of malware-spreaders out there.

Finally, as security expert Bruce Schneier has suggested, let’s stop victim-blaming when it comes to USB finders-keepers-plugger-inners.

After all, people mean well when they plug the keys in, by and large. The researchers found that most people who poked around in the drives’ files were actually trying to find contact information so they could return the keys to their original owners.

And as Schneier says, which is more idiotic: plugging in a potentially malware-laced USB key, or designing them to be this dangerous?

People get USB sticks all the time. The problem isn’t that people are idiots, that they should know that a USB stick found on the street is automatically bad and a USB stick given away at a trade show is automatically good. The problem is that the [operating system, (OS)] trusts random USB sticks. The problem is that the OS will automatically run a program that can install malware from a USB stick. The problem is that it isn’t safe to plug a USB stick into a computer.

Quit blaming the victim. They’re just trying to get by.

Image of lost USB drive courtesy of Shutterstock.

13 Comments

USB sticks have always been a problem with potential malware. Turning off autoruns helps a lot but you can go one step further and use products like Panda’s USB vaccine. It will replace the autorun file on the USB making it relatively harmless. That said the larger risk isn’t so much the files with USB, it’s the drives firmware which is impossible to stop from doing something bad with the system. It’s way too easy to replace the firmware with something that emulates a keyboard… Let’s just hope that you’re not running with admin rights!

Unfortunately, unless your AV has the ability to analyse behaviour of any programs run, in many cases they simply won’t have a signature that will detect the malware. In fact a lot of malware coders will use places like Virus Total to see how effective they can obfuscate their code in order to bypass AV’s.

If I had to check a USB stick with a dubious origin I would personally use a Raspberry Pi as a) It’s Linux and most malware would be designed for Windows and b) It stores the firmware on the SD card which means you could always zap the Pi’s card with a backup copy without fear that something might be left persistently in the system (BIOS etc.) Oh, and let’s not forget killer USB sticks which fry the USB port and computer with high voltages… Cheap Raspberry Pi or expensive laptop fried? No brainer!

Panda USB Vaccine and similar products are unnecessary since Microsoft turned off autorun in Windows 7 on except for optical drives. The way to get USB sticks to autorun now is to emulate an optical drive similar to U3 or to use an exploit such as the LNK exploit made famous by Stuxnet. Immunizating the autorun.inf in the root of the USB drives doesn’t protect against either of these.

Protecting against the U3 style launchers can be done by turning off autorun for optical drives. The best protection against exploits is staying fully patched, but if another zero day comes along you’re kind of hosed. Educating users not to plug in unknown USB drives in the first place is still the best protection.

I’m not sure what the researchers did to get pingbacks, but it sounds like it required files to be opened. More commonly than one of the aforementioned autorun methods, USB infections spread because users run a malicious executable or open a booby-trapped file.

The Bruce Schneier quote Lisa used is outdated and no longer particularly relevant. I suppose Windows could block executables from untrusted devices, but it’s no longer the OS’s fault for autorunning. Bruce’s post includes this at the end:

“EDITED TO ADD (7/4): As of February of this year, Windows no longer supports AutoRun for USB drives.”

Now it’s an user education problem. Files on unknown USB drives ought to be treated like email attachments. Because we have been so successful at getting users to not open email attachments…

I like the Raspberry Pi idea.

What precautions should be taken if one decides to insert a possibly-infected USB stick?

“The subjects who at least tried to protect themselves took these steps, though the researchers said they did so ineffectually.
-16% scanned the drive with their anti-virus software.”
Why was this ineffectual?

I suppose that “16% bothered to scan it first” figure implies ineffectual precautions because it means “84% didn’t check at all.”

Hey Kabir, just saying, but it may be ineffectual because the drive has to plugged in before the anti-virus software can actually scan it. Once the drive is plugged in, it’s too late. The best precaution, simply sh** can it.
Also, never ever, ever, ever…push a button that has a sign above it that says, “Do Not Push”!

Ideally, don’t do it. If you must, use a VM or live CD (or a Raspberry Pi as Alan Robertson suggested). Additional precautions:
-Before plugging it in make sure your OS is fully patched. This is your best protection against exploits such as the Stuxnet LNK exploit.
-Before you even open the drive in Explorer run a full scan of it with your onboard antivirus and antimalware software.
-Get a second opinion with an online scanner such as ESET’s or a standalone tool such the Sophos Virus Removal Tool.
-Don’t open anything unless absolutely necessary.
-Don’t run executables (you should never run executables from unknown or untrusted sources anyways).
-Upload any files to VirusTotal befonre opening them.
-If you must open macro-enabled or commonly exploited file types (.doc, .xls, .pdf etc) ensure you’re software is fully patched and hardened (i.e. turn off JavaScript in your PDF reader).

All that said, there is no good legitimate reason I can think of to plug in an unknown USB drive. It’s nice to be a good citizen and try to find the owner but your own safety needs to come first. And because everyone’s security is negatively affected when you are infected*, putting your security first is not selfish but rather acting as a good citizen of the internet.

*Briefly, an infected computer can be used to infect or DDoS others, send spam, host and distribute illegal content (child pornography, cracked software, etc), proxy attacks or bot commands, etc. Even if you “just” get adware that only affects your system it still provides the continuing financial incentive that keeps the bad guys going.

“8% believed that their operating system security features would protect them, e.g., “I trust my MacBook to be a good defense against viruses”.”

Would OS X autolaunch an .app on a USB drive? Wouldn’t Gatekeeper keep an unsigned executable from running (assuming that’s running) if the user did click on it? And if it wanted to do anything requiring admin access, you’d have to then authenticate?

OS X has good safeguards built in, but they aren’t enough to stop you from making your own choice to take risks. I guess the problem with those 8% of people is that they seem to be thinking that “the OS has enough security built in even to protect me from myself with no other precautions needed.”

Temporarily disable the HDD in the BIOS so it can’t be written to, boot your computer with a live Parted Magic (Linux utility) disc and check the files from PM’s virus scanner (make sure you download the latest PM update first). If infected, sanitize the drive from within PM. Or alternatively check the USB from a Linux computer. Much less likely to get infected than a Windows system.
Unfortunately the standard user doesn’t have access to these resources. However, it’s an unusual college computer center that wouldn’t have at least a few Linux computers available. So why not just turn it in and let them deal with it?

The don’t blame the victim line, is naive at best. Yes, systems should be designed better to protect end users. But we live in the world as it exists today. Not the world as we wish it would be. Therefore computer users must wake up, and become knowledgeable about the do’s and don’ts of computer usage. We don’t insist car drivers have a 100% idiot proof vehicle to drive, why do some people think we should have that for computers?

Hey! a USB stick found on the street is automatically bad and a USB stick given away at a trade show is automatically good.

Well, not always :-)

https://nakedsecurity.sophos.com/ibm-distributes-usb-malware-cocktail-auscert-security-conference

https://nakedsecurity.sophos.com/police-give-out-infected-usbs-as-prizes-in-cybersecurity-quiz

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?