Protecting Information on Flash Drives
A joint study of Illinois and Michigan universities revealed that 48% of people plug in random flash drives. We have selected the main points and findings which prove that the user behaviour plays an important role in protecting information.
At any security conference, you will inevitably hear how ethical hackers (white hats) claim to be able to hack into the security system of any company by leaving a flash drive with malicious code in the parking of this company. This story is so famous that it was filmed in the sixth episode of Mr. Robot. We can’t help but ask: is such an attack effective or is it just a myth?
To test this, we scattered nearly 300 flash drives on the campus of the University of Illinois Champaign-Urban and estimated how many people had connected them. We found out that users would pick up, connect flash drives, as well as click on the files on them in 48% of cases. Moreover, the first flash drive was picked up in less than 6 minutes.
To check whether users pick up flash drives they find, we dropped five different types of drives around the territory of the University of Illinois: flash drives with labels “exams” or "confidential", flash drives with keys, flash drives with keys and a return label, and unlabeled drives.
Each flash drive contained files that are named consistently with the labels:
- Unlabeled flash drives, flash drives with keys and flash drives with a return label contained personal files.
- Confidential labeled flash drives contained business files.
- Exams labeled drives contained exam solutions.
All the files were HTML documents which contained an .img tag for an image located on our server. This allowed us to detect whether the USB flash drive was connected and whether the file was opened without executing any code. As soon as the user opened an HTML file, he/she was offered to participate in the survey, answering why he/she connected the flash drive, in exchange for a gift card. About 20% of participants (62 users) agreed to participate.
The "implant" of infected drives is extremely effective for hacking
So, what is the effectiveness of dropping drives with a malicious code? It turned out to be very effective: 48% of users not only connected drives to the computer but also opened at least one file on them. Surprisingly high success rate proves that these attacks are realistic threats and shows the need to raise security awareness.
Spreading flash drives with malicious code brings quick results
Moreover, many people connect drives very fast. 20% of connected drives were plugged in within the first hour, and 50% of drives – within seven hours, as it can be seen from the chart below.
This means that the dwell-time is very small. In our case, the first reports on suspicious flash drives at the university appeared on Reddit about a day after the first wave, but this did not stop people from connecting our drives.
Drive appearance matters
As you can see in the diagram below, drives with curious labels have a higher connection success rate than drives without any kind of distinctive labelling. What is surprising, attached physical keys had a higher success rate because of altruistic behavior of users. Drives with a return label were connected less often due to the availability of another means to locate the owner. Please note that the difference in the opening rate is NOT statistically significant, except that drives with a return label were connected less frequently.
Geographic location does not affect opening rate
As can be seen from the graph below, the opening rate is approximately the same for each location. This confirms that hackers do not need to enter the victim's territory for an effective attack. Placement of drives in the parking lot is just as effective as placement in a protected conference room.
Everyone is vulnerable to attacks via random drives
Everyone is vulnerable to attacks via random flash drives. We did not reveal the difference between demographic data, security awareness and education of the users who connected the drives.
We let you think about why there is no negative correlation between information security awareness and vulnerability. However, the question then arises as to the effectiveness of security awareness. The subject should be studied more thoroughly so that information security education could help people to stay more protected.
Motivation of users
When asked why they connected the drive, the majority of the respondents answered that they wanted to return the flash drive to the owner (68%). As can be seen from the diagram below, only 18% said that they did it out of curiosity.
We observed that the motivation in users' responses does not match the opened files. This can be seen from the diagram below. For example, regarding the flash drives with keys, users more often clicked on winter vacation photos first rather than on the resume that presumably would contain the owner's contact information. It is notable that the same behavior was observed in the case of the flash drives with a return label but not in the case of unlabeled drives.
The results of this study show that the USB security is a real concern, and dropping flash sticks is a cheap and practical tool for hacking.