Elie Bursztein of Google’s anti-abuse research team tested how effective spreading malware would be through “lost” USB sticks on a university’s campus. He found that 98 percent of the 297 dropped usb sticks were picked up by people, and of those who found them almost half (45 percent) of them clicked on the stored files inside the USB sticks.
Most operating systems, with the exception of Qubes OS, don’t isolate the USB drives from the rest of the system by default. Therefore, if there is malware on them, it could infect the systems either through user action (by clicking on the files) or even through inaction through various firmware vulnerabilities.
Testing People’s Behavior Around “Lost” USB Drives
Bursztein, the researcher behind this project, also tested to see if giving the sticks various labels, such as “Confidential,” or “Exams,” would influence the behavior of those who found them. He discovered that when they were labeled, the people finding them were more likely to open the sticks on their PCs compared to when the sticks had no label at all. However, he also found that those drives that had a return address on them, were much less likely to be opened.
To further test the behavior of those who found the sticks, Bursztein also labeled the files as “private” on sticks that came with physical keys attached, were labelled with a return address, or were unlabelled. The files on the “confidential” sticks were labeled with “business.” None of the files had the expected content on them, though. They were all HTML files with embedded images that were connecting to the researcher’s server, from where he could see which files were opened.
Upon opening the files on the drives, the users were asked if they wanted to participate in a survey, with the possibility of earning a gift card. About 20 percent of them agreed. Over two thirds of those who agreed said that they intended to return the sticks to their owners, 18 percent said they were “curious” about what was in them, and 14 percent gave other explanations.
Potential Attack Vectors
There are multiple ways in which the users could have been infected. The HTML files on which they clicked could have activated malicious code when they were opened, or the users could’ve been redirected to a phishing site that would then try to steal their credentials. There’s also the possibility that an attacker could put malicious executable files on the USB drives. Then, if users clicked on them and allowed the files to run, their systems would’ve become infected.
Alternatively, attackers could use devices that physically look like USB sticks but would be recognized by a computer as keyboards. This is a more sophisticated attack done through HID (Human Interface Device) spoofing. It allows attackers to “inject” some keystrokes as a set of commands into the systems, which would then give the attackers remote access to those systems.
The most sophisticated type of attack done by seeding USB sticks is one that takes advantage of zero-day vulnerabilities in a computer’s USB drivers. This is a method that’s used more often by state-sponsored attackers. One example of such an attack is the infamous Stuxnet malware, which infected Iran’s nuclear facilities.
Because of the complexity and cost, attacks that take advantage of USB firmware zero-days should be more rare. However, large organizations should still be on the lookout for those, as that’s one way large data breaches could happen. Most regular users would be targeted more often with keyboard-spoofing devices that look like USB sticks, or real USB sticks that contain malicious files, which the users may access out of curiosity.
Security researchers recommend that you don't insert random USB sticks into your computer. If you have to open them, at least have your system’s patches up to date. Ideally, one would only open them in a virtual machine, specifically set up for such risky scenarios, or on a system that doesn’t allow writing on its own drive.