Dropping USB Drives Is the Easiest Trick Hackers Can Use — And You're Probably a Sucker

Dropping USB Drives Is the Easiest Trick Hackers Can Use — And You're Probably a Sucker
Source: AP
Source: AP

Hackers have devised one of the most effective and direct traps for gaining access to your most sensitive systems: simply leaving stuff on the ground.

Researchers at the University of Illinois and University of Michigan found that if you discard a USB stick somewhere, there's a nearly 50% chance that someone will pick it up, plug it into a computer and start clicking around inside.

This is where it gets scary. If that drive has malicious software on it, it's all too easy for a hacker to access your computer. The threat is so well-known it was featured in a Mr. Robot plot. And yet humans will, without fail, disregard the risk and plug in unknown drives.

The experiment: Researchers dropped about 300 USB drives around the University of Illinois Urbana-Champaign campus. The researchers labeled them in a variety of ways, like attaching keys or a return mailing address to some of them, and filled the USB drives with fake files like "résumé" and "pictures."

It took only six minutes for someone to get one of the drives and plug it in somewhere. Out of all the dropped drives, a full 48% were picked up, plugged in and explored. 

"This surprisingly high conversion rate demonstrates that USB drop attacks are a real threat and underscores the importance of educating users on the risk of plugging in untrusted USB devices," Google researcher Elie Bursztein, who worked on the study, wrote on his blog.

People were less likely to click around inside the drive when there was a label attached. Many reported back to the researchers that they really just wanted to help find the drive's owner. Otherwise, the research found that the attack was effective no matter who picked up the drive or where they were.

Curiosity got the best of them.

Use protection: Hackers in movies have to use crack-shot coding skills and custom equipment to gain access to secure systems. But in real life, everyday "hacking" is mostly about taking advantage of people's gullibility. They can guess passwords, impersonate you over the phone to a customer support representative or just set up a fake public Wi-Fi network and wait for you to connect.

There are a few basic measures to protect yourself from basic exploits, like creating complicated passwords and keeping your software up to date. 

But when it comes to USB drives, you could just ban them entirely — at your company, in your home, or just by instituting a no-plugging-things-in policy for yourself.

"With the advent of cloud storage and fast internet connections, this is policy is not as unreasonable as it was a few years back," Bursztein wrote.

How likely are you to make Mic your go-to news source?

Jack Smith IV

Jack Smith IV is a senior writer covering technology and inequality. Send tips, comments and feedback to jack@mic.com.

MORE FROM

Researchers show Twitter is far faster than the police at predicting riots

Tweets can predict a riot up to an hour before police, but that may not be a good thing.

China is building an incredibly cool "forest city" that will combat pollution

Sustainability and air quality are just the beginning.

Inside the dangerous operation to smuggle free information into North Korea

They use balloons, drones and networks of smugglers — who risk torture to bring flash drives into the DPRK.

Scientists just spotted 2 black holes flirting and dancing like awkward middle schoolers

The two could someday merge to become one.

I can't stop laughing at this amazing iOS 11 glitch that basically turns your texts into Jaden Smith tweets

One iOS 11 bug — god, I hope this is a bug — stands above the rest, and I can't stop laughing.

This biohacker implanted a transit card into his skin so he never has to get out his wallet

His name is Meow-Ludo Disco Gamma Meow-Meow, and he's got multiple chips in his arm.

Researchers show Twitter is far faster than the police at predicting riots

Tweets can predict a riot up to an hour before police, but that may not be a good thing.

China is building an incredibly cool "forest city" that will combat pollution

Sustainability and air quality are just the beginning.

Inside the dangerous operation to smuggle free information into North Korea

They use balloons, drones and networks of smugglers — who risk torture to bring flash drives into the DPRK.

Scientists just spotted 2 black holes flirting and dancing like awkward middle schoolers

The two could someday merge to become one.

I can't stop laughing at this amazing iOS 11 glitch that basically turns your texts into Jaden Smith tweets

One iOS 11 bug — god, I hope this is a bug — stands above the rest, and I can't stop laughing.

This biohacker implanted a transit card into his skin so he never has to get out his wallet

His name is Meow-Ludo Disco Gamma Meow-Meow, and he's got multiple chips in his arm.