Hackers don’t need complicated codes and tactics to break into computer systems – all they need is a USB drive.
A study by researchers at the University of Illinois found that nearly half of people who find a USB drive will plug it into a computer and open the files, typically out of curiosity or in hopes of finding the owner.
But security experts say just plugging in a USB drive can allow hackers to attack you. Cyber-criminals could compromise not just that computer, but an entire system, including data saved to the Cloud.
“This is clearly an effective way to compromise a system,” said Michael Bailey, an associate professor of electrical and computer engineering at the University of Illinois at Urbana-Champaign. “Why go through cryptology or some other complicated way of compromising a system when you can clearly just get a user to click on something?”
Bailey and his colleagues teamed up with Google and the University of Michigan to conduct the study, which will be released at a conference in May. They dropped nearly 300 USB sticks throughout UIUC’s campus and measured how many people picked them up.
Ninety-eight percent of the drives were moved, and at least 45% were connected to computers. Someone plugged a drive in only six minutes after researchers dropped it.
The drives had different labels – some unmarked, some attached to house keys; others labelled “confidential” or “final exam solutions.” They loaded the drives with files consistent to the label, such as “sp15/examA.pdf” and “Pictures/Winter Break/*.jpg”.
The files actually contained a tag for an image on a centrally controlled server that let researchers know when a file was opened on an Internet-connected computer.
Once people double clicked on a file, a notification told them they were part of a study and asked them to take a survey. Many participants said they plugged the drive in hoping to return it to its owner.
Some of that checked out, Bailey said. On some drives, researchers put an “If found, please return to” label with an e-mail address they created. Finders were significantly less likely to click on a file in those cases, Bailey said.
They also put a resume file on some of the drives. The majority of people clicked on that file, Bailey said, indicating they were looking for return info.
Nearly one in five respondents said they simply opened the drive because they were curious, but Bailey has a hunch that number should be higher.
“It’s pretty obvious that in a student population of 35,000, you’re not going to find the owner of a USB drive by looking at spring break pictures,” he said.
The people plugging in the drives were not computer-illiterate or naive, Bailey said. These were people with experience. Demographics didn’t affect plug-in rates either, he said.
Karl Sigler is threat intelligence manager at Chicago-based cybersecurity company Trustwave. One of his teams stages cyberattacks on clients to test their vulnerability. Sigler said the team tests the USB attack frequently – they drop USBs in the parking lot, the bathroom, the lobby – and it’s almost guaranteed that someone will plug them in.
People need to be more aware of the dangers of plugging foreign electronics into computers, he said. But it’s hard to rewire human nature.
“It’s a difficult thing,” he said. “Your natural instinct is to be a good Samaritan and try to get that property back, and that’s what criminals are capitalising on that trust.” – Tribune News Service
Did you find this article insightful?