Researchers from Google, the University of Illinois Urbana-Champaign, and the University of Michigan, spread 297 USB drives around the Urbana-Champaign campus. They found that 48 percent of the drives were picked up and plugged into a computer, some within minutes of being dropped.
"The security community has long held the belief that users can be socially engineered into picking up and plugging in seemingly lost USB flash drives they find," the researchers reported this month.
"Unfortunately, whether driven by altruistic motives or human curiosity, the user unknowingly opens their organization to an internal attack when they connect the drive – a physical Trojan horse."
The study dropped USB sticks containing HTML files that had img tags embedded; opening the files fetched the image from a remote server, allowing the researchers to track the USB drives' use and rough location. It's obviously not a perfect means to detect usage, but close enough. And, yes, we're talking about people – students and staff – who hang around a uni campus.
The drives were usually picked up within hours of being left in the lot, with one being opened just six minutes after being dropped off. Overall, 48 per cent of the drives were picked up and plugged into a PC.
Additionally, the study found that just 16 per cent of users bothered to scan the drives with anti-virus software before loading the files; 68 per cent of the respondents said they took no precautions whatsoever before plugging in the drives.
The users said that, for the most part, they were acting in good faith. 68 per cent of the users said they were only accessing the drive in order to find its owner, though a "handful" of respondents said they were planning to keep the USB drive for themselves.
This led the researchers to believe that an attacker would have no problem spreading malware in an organization by simply dropping an infected USB drive in a public place.
"We hope that by bringing these details to light, we remind the security community that some of the simplest attacks remain realistic threats," the researchers said.
"There is still much work needed to understand the dynamics of social engineering, develop technical defenses, and learn how to effectively teach users how to protect themselves." ®