Last week was the annual Black Hat conference held in Las Vegas. Thousands of the best hackers from around the world, gathered to show the research they have uncovered on various topics. Among many of these reports of malicious viruses, vulnerabilities and hacks one research report got a little less spotlight then it deserved.
Google researcher Elie Bursztein created a study in which he dropped 297 USB flash drives in various locations around the University of Illinois’ Urbana-Champaign campus. Inside these flash drives he created and installed special software that would allow them to call home if plugged into a system. The scary part about this study is that out of the 290 or 98 percent of drives found. There were up to 45 percent plugged into a computer system.
Security professionals have always been concerned with the ease in which a hacker can slip infected software into a flash drive. It would be very simple for a hacker to leave a flash drive outside of the company they would want to breach. From there all the would be attacker needs is for an employee to plug it into one of the company’s computers.
Interestingly enough, when these users were later surveyed on why they plugged in these devices. The most common answer was to find clues on the owner of the drive. This potential malicious attack takes advantage users intending to return the lost property.
Our recommendation is to avoid plugging any unknown flash drives into your computer, despite your good intentions it’s impossible to know if the drive could be infected. We recommend destroying the drive or if you want to find the owner to hand it over to the nearest lost and found.
Many security companies use usb flash drives as part of a security penetration test. Penetration testing is the method that ethical hackers use to test how solid the security of a network is. This particular method of dropping flash drives internally is referred to as social engineering. Many companies have annual user awareness training to train employees things to watch out for. Free usb drives are at the top of the list.
If you are curious about the finer details of this report, you can find more information here:
Photo courteously of William Hook via Flicker (CCL 2.0)
And the University of Illinois research team