LAS VEGAS—In the information security business, there is a longstanding myth that users will pick up random USB keys that can easily infect their machines. That's an urban legend that Elie Bursztein, anti-fraud and abuse research team lead at Google, put to the test and detailed in an amusing session at the Black Hat USA conference here.
Rather than just randomly drop USB drives, Bursztein developed a whole process that involved placing 297 keys at various locations on the University of Illinois campus. Bursztein worked with campus officials and didn't deploy malware on any of the USB keys, but rather included a simple HTML file for tracking as well as a follow-up survey for victims so they can learn what they did wrong.
Bursztein built an application on Google App Engine with a mobile tracking app for Android to manage the process. Not all the keys were identical, as Bursztein used five different labels in an attempt to see if different messages would affect the pick-up rate. Among the messages was one titled "final exam results" and one labeled "confidential." Each of the keys had a number of HTML links in them as well as links to pictures. To add further diversity to the study, Bursztein placed the keys in various locations around the university campus—including in the parking lot, just outside a building doorway, in a hallway, in a classroom and in a common room.
Surprisingly, 46 percent of the dropped keys "phoned home," according to Bursztein, meaning someone picked up the key, plugged it into a computer and clicked a link.
Bursztein said he found no statistically significant variation across the different keys or even the drop locations.
Bursztein's experiment included a survey that 62 people who picked up the keys ended up filling out; 68 percent of those respondents said they picked up the keys because they wanted to return the drive, while 18 percent said that they were just curious. As it turns out, 54 people did follow instructions on the drive and returned it to Bursztein.
He emphasized that his USB drop wasn't malicious, but real hackers wouldn't be as kind and likely would infect users with malware. He suggested that awareness and security training is likely a good thing, as it's important to teach people to be mindful of what they plug into their computers. Additionally, Bursztein recommended that organizations physically block the USB ports on sensitive computers in order to minimize risk.
"You don't pick up food from the floor and eat it. You might get poisoned. So don't pick up random USB keys, either," Bursztein said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.