Users Really Do Plug in Random USB Drives They Find

A recent study reached a disturbing conclusion – users really do plug in random USB drives they find. The researchers scattered 297 flash drives throughout the University of Illionis Urbana-Champaign campus. They found that the attack had an estimated success rate of 25-98%, with a median time to connection of only 6.9 hours (with the quickest being just six minutes). After connecting the drives, the subjects were presented with a survey to better understand their thought processes. It was thus found that:

• 68% of respondents connected a drive to locate its owner
• 18%  connected a drive out of curiosity
• 68% took no precautions prior to connecting the device
• Of those who considered protective measures:
  • 16% scanned the drive with anti-virus software
  •  8% believed their operating system would protect them

The study indicates that a social engineering attack of this nature would almost certainly work, as the USB drives can be configured to carry malware. This should give all of us a moment’s caution, particularly those employed in IT security.