In what’s perhaps the most enthralling episode of the hacker drama Mr. Robot, one of F-Society’s hackers drops a bunch of USB sticks in the parking lot of a prison in the hopes somebody will pick one up and plug it into their work computer, giving the hackers a foothold in the network. Of course, eventually, one of the prison employees takes the bait.
Using booby-trapped USB flash drives is a classic hacker technique. But how effective is it really? A group of researchers at the University of Illinois decided to find out, dropping 297 USB sticks on the school’s Urbana-Champaign campus last year.
As it turns out, it really works. In a new study, the researchers estimate that at least 48 percent of people will pick up a random USB stick, plug it into their computers, and open files contained in them. Moreover, practically all of the drives (98 percent) were picked up or moved from their original drop location.
Very few people said they were concerned about their security. Sixty-eight percent of people said they took no precautions, according to the study, which will appear in the 37th IEEE Symposium on Security and Privacy in May of this year.
“It's easy to laugh at these attacks, but the scary thing is that they work.“
“I trust my macbook to be a good defense against viruses,” one participant is quoted as saying, while another one seemed aware of the risks, but didn’t care, saying: “I sacrificed a university computer.”
Some 135 people actually opened some files in the drives, according to the study. The researchers didn’t put any malware on the sticks, but had left an HTML file that contained an image allowing the researchers to detect when a file was opened. The HTML file also contained a survey, which had the goal of informing unbeknownst students and faculty that they had become part of an experiment, and trying to figure out why they had picked up the drive and opened files inside.
“It's easy to laugh at these attacks, but the scary thing is that they work—and that's something that needs to be addressed,” the leading researcher on the study, Matt Tischer, told me in an email.
(Some of the USB drives the researchers dropped around campus. Image: University of Illinois)
In the study, the researchers concluded that “the anecdote that users will pick up and plug in flash drives they find is true.”
Based on the participants’ survey answers, the researchers concluded that most people did it with “altruistic intentions.” In fact, 68 percent people said they did it to find the owners, while 18 percent admitted it was just out of curiosity. However, considering their actions, it seems some overestimated their good intentions. Despite the fact that some USB drives contained a resume file, almost half the users didn’t open that file, and, instead browsed vacation photos first, “overtaken by curiosity,” as the researchers put it.
Tischer said that it’s hard to prevent something like this from happening.
“There are no easy solutions to these problems, but they will certainly extend beyond simply the technical to include a deeper understanding of the social, behavioral, and economic factors that affect human behavior,” he said in an email. “There is a difference between warning users that a particular action is dangerous and convincing them to actually avoid it. We need to close that gap.”