Do cyber criminals really leave infected USB drives in parking lots?
December 1, 2022 10:39 AM   Subscribe

My workplace’s cybersecurity training provider heavily emphasizes the problem of cyber criminals sneaking around companies’ sidewalks and parking garages, leaving malware-infected USB drives on the ground. This is supposedly meant to trick unsuspecting employees into plugging them in and giving the bad guys access to the company’s network. I have never heard of this happening in real life and it seems like a really inefficient way to do crime - is this a genuine risk or a creative hook to keep trainees awake?
posted by centrifugal to Computers & Internet (22 answers total) 4 users marked this as a favorite
A paper from 2016:

Users Really Do Plug in USB Drives They Find
We investigate the anecdotal belief that end users will pick up and plug in USB flash drives they find by completing a controlled experiment in which we drop 297 flash drives on a large university campus. We find that the attack is effective with an estimated success rate of 45 - 98% and expeditious with the first drive connected in less than six minutes. We analyze the types of drives users connected and survey those users to understand their motivation and security profile. We find that a drive's appearance does not increase attack success. Instead, users connect the drive with the altruistic intention of finding the owner. These individuals are not technically incompetent, but are rather typical community members who appear to take more recreational risks then their peers. We conclude with lessons learned and discussion on how social engineering attacks - while less technical - continue to be an effective attack vector that our community has yet to successfully address.
posted by zamboni at 10:44 AM on December 1, 2022 [12 favorites]

Well, it's been known to happen. The problem is, when the OS mounts the drive, it can execute code stored on the drive and code does not have to be benign.
posted by SPrintF at 10:44 AM on December 1, 2022 [4 favorites]

Seems like it does still happen sometimes. Not sure how common it is.
posted by BungaDunga at 10:45 AM on December 1, 2022 [2 favorites]

Another example from a hospital. I don't think it's *common*, but I imagine the likelihood scales up with the value of the data they're targeting.
posted by sagc at 10:45 AM on December 1, 2022 [2 favorites]

Preorder your Hak5 Rubber Ducky now!
posted by zamboni at 11:01 AM on December 1, 2022 [2 favorites]

The problem is, when the OS mounts the drive, it can execute code stored on the drive and code does not have to be benign.

For devices like the Rubber Ducky, when you plug it in, it's not just a drive. The OS sees a new keyboard/mouse, which then starts doing whatever the Rubber Ducky is scripted to do.
posted by zamboni at 11:29 AM on December 1, 2022 [5 favorites]

Yeah, and a stock USB drive can be flashed with firmware to act like a Rubber Ducky (a so-called "BadUSB" attack).
posted by BungaDunga at 11:42 AM on December 1, 2022 [2 favorites]

Older 2011 Wired report saying in a test 60% of USB devices were plugged into a computer. So there are improvements over 5 years vs. the study cited by zamboni...
posted by Dotty at 12:07 PM on December 1, 2022 [1 favorite]

I knew a guy who did physical pen-testing as part of his job; he called it "candy dropping" and it worked routinely.

Drop a dozen or so - all you need is for one to find its way into the network and get plugged in. The script immediately downloads malware, connects to a command-and-control-server somewhere else, and it's all over but the shouting.
posted by jquinby at 12:12 PM on December 1, 2022 [4 favorites]

ah, and these thumb drives would also be labeled with "PORN", "PAYROLL" and the like.
posted by jquinby at 12:16 PM on December 1, 2022 [2 favorites]

The answer is that a phishing link sent to someone's email requires the recipient complete a lot of steps to really take over a computer. Sure, you can take over the browser with a few erroneous clicks, but that will only get you access to that user's browser and any credentials they enter. With the USB drive, the sky's the limit. You can install native code, including hidden payloads that live in the BIOS or boot sector and will survive a format.
posted by wnissen at 12:23 PM on December 1, 2022 [1 favorite]

Back when memory/storage was insanely expensive (like, in 2004-ish I paid >$80 for a 1GB flash drive), I did occasionally find dropped flash drives and I totally did use them, because I had switched to mac around then and hardly nobody made viruses for mac back then, and because, as I mentioned, storage was stupid expensive and I had a big need for it as a reporter/photographer using almost exclusively mac.

I probably wouldn't do that now though, but economics + user experience go a long way to predict behavior. Also, those drives mostly had just pirated music and videos, not, afaict, malware
posted by toodleydoodley at 12:47 PM on December 1, 2022 [1 favorite]

This would be an approach an attacker would take if they were targeting your workplace's system specifically (depending on where you work this might be a very likely threat or an absurdly unlikely threat). Hackers are not going to blanket a city in USB drives to harvest a few credit card numbers or passwords. But for corporate espionage and high stakes stuff it's a very low-cost, high-reward thing to try. I think the CIA got access to an Iranian nuclear facility's systems this way? I might be misremembering that, it was years ago.
posted by 100kb at 1:06 PM on December 1, 2022 [7 favorites]

I found one in a free library. It was obviously a setup. I went home and turned off the setting which makes a computer run the program found on a USB drive. This is easy to do, instructions are all over the web, and you should do it because in the late 1990s Microsoft started adding the ability for any device or program to run a program without asking the user. This was a catastrophe for users and for security, and they refused to back down because there might be someone, somewhere, who liked this and might buy one more copy of Windows. You should disable this as much as possible, and the USB thing is a good start. even if it's all you do it's wise.
I did this, and I plugged in the USB and looked at it. There was one file, a movie, and a viewer. I ran it.
"Hello. As you're probably aware, the Earth is flat ..."
So it was a virus, but the kind that takes over your mind and not your computer. I meant to watch it, but it was like anti-evolution stuff: amusing, infuriating, and who has time?
I virus scanned my computer and it was fine.
But I have a lot of USB keys. I have ones I've found. I've never found anything on one that was worth looking at, and I can't imagine what that would be. Secrets to a vast conspiracy? An unpublished novel of impossible brilliance? If I found one and wasn't confident, I'd format it, unseen, and use it.
posted by AugustusCrunch at 2:02 PM on December 1, 2022 [3 favorites]

It doesn't hurt to mention the threat of plugging in random flash drives, but it seems like the training should really emphasize phishing attacks, since those are the primary vector for network breaches.
posted by alex1965 at 2:20 PM on December 1, 2022 [2 favorites]

My understanding was that phishy thumb drives were re-packed into blister packs and placed on the shelves in kiosks and variety stores near target institutions.
posted by ovvl at 5:27 PM on December 1, 2022 [2 favorites]

And, just to cover all the possibilities, there are also USB Kill Sticks, which charge capacitors from the power pins as soon as they're plugged in and then in seconds, discharge it all back into the computer through the data pins. Obviously, that is not a security exploit, it turns the computer to toast. But it might be a way for someone to "up the man" if the drives were left near a previous employer or a store they had a gripe with.

Also, at my own company we are definitely paranoid for good reason. They do indeed send us all manner of stupid emails with click me links, or phone out of the blue asking for help/information. Best course of action is forward email to Security mail box, and be a jerk to the caller. Otherwise you end up going to remedial security school.
posted by forthright at 6:29 PM on December 1, 2022

As I heard it, someone dropped some USB drives in the parking lot at the Pentagon once upon a time. Within a few weeks the cyber-security guys were running around the building, super-gluing all the USB ports shut. (I got that story from my brother, dunno if it's actually true, but it's truthy!)

It's still a violation of cyber-security rules to plug unapproved devices into USB ports on DOD & DHS computers.

(Nobody tell the IT guys about my wireless mouse!)
posted by suelac at 9:22 PM on December 1, 2022

This is why I wish we had public sanitizing stations - places which offered a quarantined socket where you could insert a dubious USB, and it would be cleared of any harmful software, as AugustusCrunch describes (or maybe just formatted, given no other way to make a dangerous one safe). Relatives occasionally gift me with these Flash drives, loaded with photos and the writings of my ancestors, but they never see the fright in my eyes when they hand them to me, I guess because they don't receive annual security briefings warning to never plug unknown USB memory sticks into your computer's drive. (I take them to the public library, for inspection on one of their computers.)
posted by Rash at 8:48 AM on December 2, 2022 [1 favorite]

This sort of cyber security training gives cyber security training a bad name! It's sending out the message that attacks are obvious.

Aside form Stuxnet Nantanz attack, I've heard of this happening in real-life.

Is it a possible vector, of course...but statistically, it would appear it does not happen that often.

The reason is purely logistical. It would take thousands of USBs physically distributed around the premises of an organization to get possible result. In reality, it's much easier for a bad actor just to send out thousands of infected emails. These emails will be very plausible and use an emotional pull.
posted by jacobean at 2:28 PM on December 2, 2022

Yes, it happens. I've never seen any (and where I work has never been that exciting) but there's enough knowledge in the field to respond to "Surely that doesn't happen?!?" with "Yes it does and stop calling me Shirley."

Rash: This is why I wish we had public sanitizing stations - places which offered a quarantined socket where you could insert a dubious USB, and it would be cleared of any harmful software.
I'm surprised there's not a crowd-funded project for a dumb write-only wiper or a read-not-execute dumb malware scanner & sheep-dip.
posted by k3ninho at 3:37 PM on December 3, 2022

I'm surprised there's not a crowd-funded project for a dumb write-only wiper or a read-not-execute dumb malware scanner & sheep-dip.

There have been various projects in this general area, like CIRClean.
posted by zamboni at 4:04 PM on December 4, 2022 [1 favorite]

« Older Gorgeous photos of soap?   |   🎵 "It's a city of strangers..." 🎵 Newer »
This thread is closed to new comments.