Connectivity has never been more pervasive than today. In a span of just two hundred years western civilization has gone from the electric telegraph to satellite communication. Access to the internet, which just thirty years ago was limited to land-line dial-up connections, has become ubiquitous — only a screen swipe away. Portable data storage, such as USB drives, might not be quite as useful or sought after as they once were but they remain an undeniably handy method to carry your data around.
So when you spot an USB drive lying abandoned on the floor or on the sidewalk, you’re faced with a very puzzling choice. Should you pick it up, or not? Surely a quick peek at the files it contains will help you return the drive to its rightful (and thankful) owner; it’s a civic duty and who better than you to see it through the end? Or maybe you’re more inclined to use it yourself, it’s finders keepers after all! Moral conundrums aside, one thing is sure — USB drives discarded in public places won’t go unnoticed for long, a new study has found.
An University of Illinois Urbana-Champaign team left 297 USB memory dropped seemingly by accident around the university grounds in places like parking lots, classrooms, cafeterias, libraries or hallways. Roughly 98% of them were removed from their original location, and almost half of them were snooped through.
The researchers wanted to know what people would do with the data on the drives after they found them, so they put HTML documents cunningly disguised with names such as “documents,” “math notes,” or “winter break pictures” on the USB sticks. If anyone tried to open these files on a computer connected to the internet, the researchers would receive a notification.
In the end, the team received 135 notifications of users opening the files, corresponding to 45% of the discarded drives. The actual number of accessed drives is most likely higher than this, as the researchers were only notified if the HTML files were opened (and even then, if an internet connection was established at the time of opening the file.)
The unknowing subjects were informed about the experiment when they opened the HTML files on the drive, and were invited to complete an anonymous survey to explain what had motivated them to pick up and use the drive in the first place. Only 43 percent of the participants chose to provide feedback. Most of them (68 percent) said that they were trying to return the drive to its owner. Part of the drives had been put on key rings with dummy house keys, and many of the participants listed this as one of the reasons behind their altruistic intentions. Another 18 percent reported that they were just curious to see what was in the files. Two very honest people admitted that they were simply planning on keeping the drive.
Image via flirk user Custom USB.
Still, even those driven by good intentions snooped around the data, opening files like photos or texts on the drives. An argument could be made that they were trying to see how the owner looks like; but seeing as the drives had a “personal resume” file complete with contact details, I think it’s safe to say that they just let their curiosity get the better of them.
There’s nothing wrong with that. Curiosity can be a very powerful force; and when you combine that with the temptation of an USB drive, containing data only you have access to, it can become downright irresistible. But it’s also a huge security risk.
More than two-thirds of respondents had taken no precautions before connecting the drive to their computer. “I trust my Macbook to be a good defence against viruses,” said one report. Others admitted opening the files on university computers to protect their own systems.
“This evidence is a reminder to the security community that less technical attacks remain a real-world threat and that we have yet to understand how to successfully defend against them,” the authors write. “We need to better understand the dynamics of social engineering attacks, develop better technical defences against them, and learn how to effectively teach end users about these risks.”
Despite the ridiculousness of these kinds of experiments, the study shows that people aren’t cautious enough when it comes to opening unknown files on totally random drives.
“It’s easy to laugh at these attacks, but the scary thing is that they work,” said lead researcher Matt Tischer for Motherboard, “and that’s something that needs to be addressed.”
The findings, which are being presented next month at the 37th IEEE Symposium on Security and Privacy in California, also highlight just how unaware or unconcerned we can be about the potential security risks of opening unknown files on randomly found devices.
