Black Hat: Do USB Keys Left in Parking Lots Get Picked Up?
Will people pick up randomly placed USB keys and stick them in their PCs? A Google researcher who tested this out found surprising results.LAS VEGAS—In the information security business, there is a longstanding myth that users will pick up random USB keys that can easily infect their machines. That's an urban legend that Elie Bursztein, anti-fraud and abuse research team lead at Google, put to the test and detailed in an amusing session at the Black Hat USA conference here. Rather than just randomly drop USB drives, Bursztein developed a whole process that involved placing 297 keys at various locations on the University of Illinois campus. Bursztein worked with campus officials and didn't deploy malware on any of the USB keys, but rather included a simple HTML file for tracking as well as a follow-up survey for victims so they can learn what they did wrong. Bursztein built an application on Google App Engine with a mobile tracking app for Android to manage the process. Not all the keys were identical, as Bursztein used five different labels in an attempt to see if different messages would affect the pick-up rate. Among the messages was one titled "final exam results" and one labeled "confidential." Each of the keys had a number of HTML links in them as well as links to pictures. To add further diversity to the study, Bursztein placed the keys in various locations around the university campus—including in the parking lot, just outside a building doorway, in a hallway, in a classroom and in a common room. Surprisingly, 46 percent of the dropped keys "phoned home," according to Bursztein, meaning someone picked up the key, plugged it into a computer and clicked a link.
Bursztein said he found no statistically significant variation across the different keys or even the drop locations.