In Elf, Santa warns Buddy “you see gum on the street, leave it there. It isn’t free candy.” The same rule applies to USB drives, people. Should you happen to find a stray USB drive lying around in the subway, parking lot, or out in front of your bus stop, your first thought shouldn’t be “man, I can’t wait to find out what’s on this thing!” It shouldn’t be, but for a lot of people that’s exactly what they’re thinking.
A group of researchers from the University of Illinois Urbana-Champaign decided to do a little experiment recently. They took 297 USB flash drives and scattered them around the campus — in the library, in classrooms, on sidewalks — wherever pedestrians might see them. Their finding? That nearly every single drive (around 98%) at least got picked up and moved. The more alarming discovery is that at least half of the sticks actually got plugged into a computer.
Okay, maybe that’s not such a big deal since not many computers today still allow programs to auto-run from a USB drive. Still, these could’ve been designed to vandalize machines rather than infect, leaving the clueless folks who discovered them with roasted USB ports or a dead mainboard.
Preventing auto-runs only neutralizes some of the risk. It doesn’t protect users who happen to take things a step further and start clicking on a drive’s contents. According to the University’s report, a terrifying 45% of people who found one of the drives opened a file. Clearly they either don’t know about malware like Stuxnet or they figure that’s the kind of thing that happens to other people.
But hey, apparently even cosmonauts make that mistake.