Blog

I wouldn’t plug that USB in if I were you!

You’re leaving work and see a USB drive someone’s dropped in the elevator. It looks like the same one you have at home that you bought from JB Hi-Fi. Do you A. plug it in to track down the owner (or out of curiosity), B. hand it in as a lost item, C. throw it in the bin, or D. leave it there?

The University of Illinois conducted a landmark study by placing nearly 300 USB drives around their campus. Each USB drive was loaded with a file that, when opened, would notify the researchers that someone had accessed it. The study showed that 98% of people picked up one of the USB sticks and 45% of them plugged it in and opened a file.

What’s wrong with this?

Cybercriminals use USB drives as an “attack vector,” meaning they load USB drives—sometimes thousands of them—with malware, ransomware, or viruses that can give them access to individual computers or entire networks when plugged in.

The fact that 45% of study participants opened unknown files from mysterious drives shows just how effective indirect cyberattacks can be. Like phishing emails that claim there’s a package waiting for you, this type of attack exploits human curiosity. With the rise of AI-powered attacks and increasingly sophisticated malware, these seemingly innocent USB drives have become even more dangerous.

Has it happened before?

USB-based attacks continue to evolve and remain a significant threat. In recent years, we’ve seen campaigns where unmarked USB sticks are distributed through various means—from being dropped in car parks to being sent through the post. These devices often contain advanced malware designed to steal credentials, deploy ransomware, or establish persistent network access.

One of the most famous examples remains Stuxnet—a sophisticated cyberweapon that used USB drives to infiltrate air-gapped systems and ultimately damaged Iranian nuclear facilities. This demonstrated just how effective USB-based attacks can be, even against highly secure environments.

More concerning are modern “USB killer” devices that can physically destroy computers by delivering high-voltage electrical surges, or advanced implants that can compromise systems while appearing to function as normal storage devices.

The takeaway

Just like with email, don’t open anything mysterious that you don’t trust. The correct answer to our opening question is C. throw it away or put it in a secure destruction bin. If you leave it there or hand it in, it could potentially end up in the hands of someone curious enough to plug it in, and if that happens at your workplace, it could compromise your entire network.

Use your judgement—if the USB has clear business branding, you might contact that organisation directly. However, the safest approach is secure disposal. Consider providing company-branded USB drives and implementing policies that only allow approved devices in the workplace. Modern endpoint detection and response solutions can also help, but prevention remains your best defence.

Remember, in our increasingly connected world, a moment of curiosity could lead to months of recovery from a cyberattack. When in doubt, our team is always available to help you implement robust cybersecurity policies that protect your organisation from these and other threats. Get in touch if you’d like to discuss strengthening your security posture.

Jessica Falconer
Director, Resolve Technology
When she’s not wrangling IT strategies, Jessica can be found wrangling labradoodles, teenagers, and parishioners — not necessarily in that order.