USB thumb drives are undeniably convenient, but due to their small size and — depending on who you are — their rapid proliferation, they can be easy to lose track of. And now we have proof that we should be more careful about the information we store on these drives, as a recent study from the University of Illinois Urbana-Champaign (here’s a link to the PDF) shows that as often as not, someone who finds a random USB drive will look through whatever is stored on it.
As part of an experiment, a team from the University dropped a total of 297 USB drives around the campus in locations ranging from parking lots to libraries. Almost all of the drives were found to be moved from wherever they had been left, and at least 45 percent of them were inserted into a computer and rifled through.
The team seeded each drive with a number of documents masquerading as various file types with names like “resume,” “Winter Break” photos, and even answers for exams. In reality, all of these were HTML documents that, once opened, would alert the researchers that the drive in question was being looked at. It remains possible that far more drives were plugged in, and the user simply never clicked on any of the documents.
Once an HTML file had been opened, the user was informed of the nature of the study, and asked if they would like to participate further by answering a few questions. Only 43 percent of the users who had clicked on a file opted to continue, but of them, 68 percent said they had intended to return the drive, while 18 percent admitted that they had only been interested in the contents.
The study — referred to by its authors as an “attack” — was done to test how effective this approach would be to either steal or damage information. A faulty USB device can fry a computer in the right conditions, and they can also obviously transmit malware. Somewhat disconcertingly, many of the unwilling participants in the study seemed to either be unaware of these risks, or not to care about them.
Related: Amazon tightens up rules on USB Type-C cables after Google engineer’s criticisms
“We hope that by bringing these details to light, we remind the security community that some of the simplest attacks remain realistic threats,” the paper’s authors write. “There is still much work needed to understand the dynamics of social engineering, develop technical defenses, and learn how to effectively teach users how to protect themselves.”