I wouldn’t plug that USB in if I were you!

Posted on Sep 29, 2016 in IT policy, Security
I wouldn’t plug that USB in if I were you!

By Nick Phillips, Operations Manager

You’re leaving work and see a USB drive someone’s dropped in the elevator. It looks like the same one you have at home that you bought form JB-HiFi. Do you A. plug it in to track down the owner (or out of curiosity), B. hand it in as a lost item, C. throw it in the bin, or D. leave it there?

The University of Illinois carried out a study by laying nearly 300 USB drives around the campus. The USB drive was loaded with a file that when opened (connected to the internet) would notify the researchers that somebody had opened a file. The study showed that 98% of people picked up one of the USB sticks and 45% of them plugged it in and opened a file.

What’s wrong with this?

Cyber criminals or hackers use USB drives as an “attack vector,” meaning that they load a USB drive, or potentially thousands of USB drives, with malware or a virus that when plugged in can give them access to a single computer or a whole network.

The fact that 45% of the study’s respondents opened an unknown file on a mysterious drive shows just how effective an indirect cyber-attack like this can be. Just like the phishing email that said there was a package for you that wasn’t delivered, this type attack also plays on human curiosity.

Has it happened before?

Recently in Victoria, Australia unmarked USB sticks were dropped into letter boxes in the hope they were plugged into personal computers. They contained illegal media streaming service offers as well as malware, either to steal personal information or to demand pay out to unlock files.

A more global example would be Stuxnet – touted as being designed by the US and Israel to deliver a computer virus into an Iranian computer system that damaged a nuclear facility and destroyed its uranium enrichment centrifuges in 2010.

On the back of this a Hong Kong based company started selling a USB drive called USB Kill v2, and it’s as bad as it sounds. It’ll pretty much fry any computer it’s plugged in to.

The takeaway

Just like with email, don’t open anything mysterious that you don’t trust. And by the way the correct answer to the first question is C. throw it away or put it in a secure destruction bin. If you leave it there or hand it in, it’ll potentially end up in the hands of someone who wants to return it to the owner (or is simply curious), and if that’s at your place of work it could hit your whole network – so don’t risk it.

Obviously use your initiative, if it has a business logo on it, hand it back there. Another idea is to provide company marked USB sticks and have a policy to only use these in the work place.

Tips on safe USB use in a later blog.