when relevant content is
added and updated.
It turns out that the reason people keep poking USB sticks into things isn’t necessarily because they’re stupid. It’s because they’re nice.
A recent study by researchers at the University of Illinois discovered that almost half of the people who found USB sticks scattered by the researchers ended up sticking them into their computers. This isn’t new. What was new is the reason – ostensibly, so the people who found them could return them to their owners.
“We dropped nearly 300 USB sticks on the University of Illinois Urbana-Champaign campus and measured who plugged in the drives,” writes Elie Bursztein, one of the researchers, who heads Google’s anti-abuse research team. “We find that users picked up, plugged in, and clicked on files in 48 percent of the drives we dropped,” he writes. “They did so quickly: the first drive was connected in under six minutes.” The full study will be published in May 2016 at the 37th IEEE Security and Privacy Symposium, he adds.
“We dropped five types of drives on the University of Illinois campus: drives labeled ‘exams’ or ‘confidential,’ drives with attached keys, drives with keys & return address label, and generic unlabeled drives,” Bursztein writes. “On each drive, we added files consistent with the drive’s label: private files for the sticks with no label, keys or a return label; business files for the confidential one; and exam files for the exam drives.”
In fact, researchers found that they could make people even more likely to perform this altruistic behavior by personalizing the stick, Bursztein adds. “Attaching physical keys to elicit altruistic behavior was most effective,” he writes. “Keys with an attached return label were the least opened, likely because people had another means to find the owner.”
So what makes all this a problem?
- USB sticks can spread viruses and malware.
- In particular, USB sticks can include code that reprograms any other USB device, including the keyboard.
- And this isn’t just ransomware. We’re talking about malware that can actually set your computer on fire.
For that matter, the researchers’ USB sticks essentially had malware on them. “All the files were actually HTML files with an embedded image on our server,” Bursztein writes. “This allowed us to detect when a drive was connected and a file opened without executing any unexpected code on the user’s computer. When a user opened the HTML file, we asked them if they wanted to opt out or to answer a survey about why they plugged in the drive in exchange of a gift card. 62 users (~20 percent) agreed to respond.”
And that’s where the being nice part comes in. “When asked why did they plugged the drive most survey respondents claimed it was for the altruistic purpose of returning the drive to its owner (68 percent),” Bursztein writes. “Only 18 percent said they were motivated by curiosity.”
Of course, that’s what they said. “The self-reported motivation is not consistent with which files were accessed,” Bursztein notes. “For example for the drives with physical keys attached, users clicked on winter break pictures more often than on the resume file, which would have contact information of the owner. Interestingly the same behavior is observed for the drives with a return label, but not for the drives with no marking.”
The other interesting aspect is how quickly this all happened. “Not only do many people plug in USB devices, they connect them quickly,” writes Bursztein. “20 percent of the connected drives were connected within the first hour and 50 percent were connected within 7 hours.” What makes this a problem is that if such sticks did contain a virus, it could spread before anyone could deal with it. “The windows of time available to detect that this attack is occurring is very short,” he warns. In fact, the first report of the presence of “weird USB keys” on the campus only started to surface on Reddit roughly 24 hours after the first wave – which still didn’t keep people from continuing to plug them in, he writes.
What’s particularly interesting is that this behavior is universal. “We found no difference between the demography, security knowledge and education of the users who plugged USB drives and the general population,” Bursztein notes.
Between this and all the other security flaws inherent in USBs – even Captain America, ATMs, and the International Space Station are vulnerable — Bursztein is actually suggesting getting rid of USB sticks altogether. “You can enforce a policy to forbid the use of USB drives,” he writes. “On Windows this can be done by denying users access to the Usbstor.inf file. With the advent of cloud storage and fast internet connections, this is policy is not as unreasonable as it was a few years back.”
What’s going to be interesting is what sort of ramifications there’s going to be about this research. For example, it sounds like telling people not be stupid isn’t a very successful strategy, because they don’t think they’re being stupid. “Why being more security savvy is not negatively correlated with being less vulnerable is everyone’s guess,” Bursztein writes. “It raises the question of the effectiveness of security education at preventing breaches.”
Not to mention, what other kinds of things might people be convinced to do because they think they’re being nice?