Lost & Found: The Dangers of Mystery USB Drives
By Kenneth Sprague | October 3rd, 2016
So if you found a USB Stick in the parking lot this morning, what would you do? What if you found one in the course of your job, in a rental car, or in a “Lost & Found” box in your office? You would be curious to see what is on the drive or inclined to try and locate who it belongs to. What would you consider the chances are you’d plug it into your work or personal computer?
A study conducted by Google, the University of Illinois, and University of Michigan show these small USB drives / USB Thumb Drives / USB Sticks are lost all the time, in all sorts of places, from taxies, to dry cleaners and parking lots. Generally, the data isn’t encrypted, and the only way to find out who it belongs to is to plug it in to see if there are any clues. Malware developers, cyber-criminals, and governments have been known to utilize this delivery method in the past. In the study, 297 USB drives were dropped around a college campus, placed in strategic locations for people to pick up. It was proven to be highly effective in infecting devices, with the first incident occurring in less than six minutes after being left behind.
Perhaps some could argue that the study was skewed with the social experiment being conducted on a college campus. However, a real-world example would be the “Stuxnet” case where a USB Drive was found in the Bushehr nuclear plant parking lot and unwittingly plugged in to the facility’s network. The drive contained a worm specifically designed to infiltrate the target. It remained undetected until much later, when it spread well beyond the intended confines, reaching over 45K computers worldwide.
Results of the study also concluded nearly half the people who picked up a found USB drive plugged it into a computer connected to the internet. While most were acting in good faith, the conclusions clearly demonstrated an effective way to spread malware by dropping a USB drive in the proximity of the intended target organization.
So by now you are asking yourself, what can you do if you find a USB drive and want to locate the owner without putting yourself at risk? Unfortunately, the only real way to see the contents of a USB drive is to put it into a machine that will not allow writing of any files to a hard drive. For example, you could boot a PC without a hard drive from a Linux distro bootable DVD / CD / USB. This would allow you to mount the “found” USB drive and view files. While one of the safest methods, it is generally beyond the average person’s technical capabilities; it’s why the best thing you should do is turn it in to a lost and found. Be sure to warn whoever you turn it in to, to not plug it into any computers without having a trained IT professional who is capable of properly reviewing the content.
It is second nature to want to be helpful, but it is important to remember that malware creators and criminals are always seeking ways to exploit such vulnerabilities, particularly while trying to gain access to highly secure networks. So be safe and don’t risk infecting your computer by plugging in a device that doesn’t belong to you.