Dropping USB Drives Is the Easiest Trick Hackers Can Use — And You're Probably a Sucker


Hackers have devised one of the most effective and direct traps for gaining access to your most sensitive systems: simply leaving stuff on the ground.

Researchers at the University of Illinois and University of Michigan found that if you discard a USB stick somewhere, there's a nearly 50% chance that someone will pick it up, plug it into a computer and start clicking around inside.

This is where it gets scary. If that drive has malicious software on it, it's all too easy for a hacker to access your computer. The threat is so well-known it was featured in a Mr. Robot plot. And yet humans will, without fail, disregard the risk and plug in unknown drives.

The experiment: Researchers dropped about 300 USB drives around the University of Illinois Urbana-Champaign campus. The researchers labeled them in a variety of ways, like attaching keys or a return mailing address to some of them, and filled the USB drives with fake files like "résumé" and "pictures."

Elie Bursztein

It took only six minutes for someone to get one of the drives and plug it in somewhere. Out of all the dropped drives, a full 48% were picked up, plugged in and explored. 

"This surprisingly high conversion rate demonstrates that USB drop attacks are a real threat and underscores the importance of educating users on the risk of plugging in untrusted USB devices," Google researcher Elie Bursztein, who worked on the study, wrote on his blog.

People were less likely to click around inside the drive when there was a label attached. Many reported back to the researchers that they really just wanted to help find the drive's owner. Otherwise, the research found that the attack was effective no matter who picked up the drive or where they were.

Curiosity got the best of them.

Paul Sakuma/AP

Use protection: Hackers in movies have to use crack-shot coding skills and custom equipment to gain access to secure systems. But in real life, everyday "hacking" is mostly about taking advantage of people's gullibility. They can guess passwords, impersonate you over the phone to a customer support representative or just set up a fake public Wi-Fi network and wait for you to connect.

There are a few basic measures to protect yourself from basic exploits, like creating complicated passwords and keeping your software up to date. 

But when it comes to USB drives, you could just ban them entirely — at your company, in your home, or just by instituting a no-plugging-things-in policy for yourself.

"With the advent of cloud storage and fast internet connections, this is policy is not as unreasonable as it was a few years back," Bursztein wrote.