We investigate the anecdotal belief that end users will pick up and plug in USB flash drives they find by completing a controlled experiment in which we drop 297 flash drives on a large university campus. We find that the attack is effective with an estimated success rate of 4598% and expeditious with the first drive connected in less than six minutes. We analyze the types of drives users connected and survey those users to understand their motivation and security profile. We find that a drives appearance does not increase attack success. Instead, users connect the drive with the altruistic intention of finding the owner. These individuals are not technically incompetent, but are rather typical community members who appear to take more recreational risks then their peers. We conclude with lessons learned and discussion on how social engineering attacks while less technical continue to be an effective attack vector that our community has yet to successfully address.
Users really do plug in usb drives they find
Security and Privacy 2016
Matthew Tischer , Zakir Durumeric , Sam Foster , Sunny Duan , Alec Mori , Elie Bursztein , Michael Bailey
Selected Press articles
The Guardian | Dan Tynan | Aug 2016The state of cyber security: we're all screwed