BLACK HAT 2016: Experiment shows that most half of people will plug a randomly placed USB stick into their computer, despite risk
Security researcher Elie Bursztein has revealed the details of a social experiment involving the humble USB stick at this year’s Black Hate USA security conference.
Bursztein and researchers from the University of Illinois Urbana-Champaign, University of Michigan and Google dropped 297 USB drives with phone-home capabilities on the University of Illinois Urbana-Champaign campus.
“Despite the dangers of hackers, viruses and other bad things, almost half of those who found one of our flash drives plugged it into a computer,” Bursztein was reported as saying.
The researchers found that 48 percent of drives were picked up and plugged into a computer with the user clicking on files. The documents had names such as “final exam” or “spring break pictures.”
As this was an experiment, there was no nasty payload associated with these documents, but rather when a user double-clicked on the document, he or she was connected to an email survey. 68 percent of respondents said they clicked on the file so they could help return the USB to its rightful owner.
Another 18 percent admitted they were curious about the document contents.
It is not uncommon nowadays to come across misplaced USB sticks.
Indeed, earlier this year security firm ESET found that dry cleaning shops were a haven for forgotten devices. It discovered over 22,000 USB sticks were left in the pockets of clothing sent to Britain’s dry cleaners during 2015.
Rach dry cleaner it survey found four USB sticks each on average, alongside other valuable items such as mobile phones.
Bursztein meanwhile took the opportunity to demonstrate to Black Hat attendees the dangers of plugging in a randomly found USB stick, after he created a malicious USB drive that contained a nasty surprise.
Instead of being a storage device, his USB stick hosted a HID (human interface device) to give attackers almost instant control of the victims’ PC or Mac, so long as it was connected to the Internet.
Bursztein cast a new USB housing using silicon molds and model resins, and inserted a USB connector and a small development board (Teensy 3.2) at a cost of just $40 (£30). This rogue USB stick contained a payload that was made up of a reverse TCP shell that connected back to a server chosen by the attacker.
He even built-in capabilities to avoid AV and firewall defences, and his creation worked on both Windows PCs and Apple Macs. He is still developing the malicious USB stick, and is seeking to add a GSM/Wi-Fi module and storage capabilities in future prototypes.
Rather than use sophisticated malware to destroy its target, the stick instead sent a 220 volt charge through the signal lines of the USB interface, effectively killing the computer within seconds.
Are you a security pro? Try our quiz!