Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
It's funny.  Laugh. Privacy Security IT Technology

A Lot of People Carelessly Plug In Random USB Drives Into Their Computers (vice.com) 391

An anonymous reader writes: Scientists have proven that a lot of people will carelessly plug in a USB drive found on the ground, exposing themselves to potential infections from malware. The researchers dropped 297 USB flash drives on a university campus and saw that in 48% of the cases, people picked them up, plugged them in, and opened files from the drive on their computers. Should such people be mocked? Would you plug in a USB drive that you found on the ground? Bruce Schneier, an American cryptographer, computer security and privacy specialist makes a good point: People get USB sticks all the time. The problem isn't that people are idiots, that they should know that a USB stick found on the street is automatically bad and a USB stick given away at a trade show is automatically good. The problem is that the OS trusts random USB sticks. The problem is that the OS will automatically run a program that can install malware from a USB stick. The problem is that it isn't safe to plug a USB stick into a computer.
This discussion has been archived. No new comments can be posted.

A Lot of People Carelessly Plug In Random USB Drives Into Their Computers

Comments Filter:
  • by Anonymous Coward on Wednesday April 06, 2016 @02:52PM (#51854797)

    Never know what STDs are there, but YOLO

  • People are stupid (Score:3, Insightful)

    by JustAnotherOldGuy ( 4145623 ) on Wednesday April 06, 2016 @02:52PM (#51854803)

    People are stupid, film at 11.

    • by Anonymous Coward

      This isn't just the OS; you can easily diddle USB devices with malware in their firmware that then diddles the host in ways that doesn't require an obviously too trusting OS such as the most popular one that continues in this manner well after the idea has been well and truly discredited.

      In other words, "we", the people that design and make the hardware and the software and so on, keep on making promises we know are false to "users": "No training needed", "this OS is user friendly", "this hardware will do w

      • You did see the malicious USB "drive" that was actually a transformer right (developed as an exhibit on how dangerous random USB can be)? It took about a second for it to build up 240V and send it back through the port. First pulse dropped the screen and probably everything else as well, the second pulse killed the whole laptop power system. And it all happened before you could even pull it. It also would keep pulsing until power to the port stopped.

    • Being that a dropped USB drive, is a rather expensive way to to try to infect a random PC. Unless you do so in some sort of work area, where you are hoping that the guy will do this to his work PC, so you can get onto the corporate network.
      But if a guy picks it up and plugs it into his PC. You are spending a lot of money for little value.

      However if you found someone's USB drive, you may be able to get valuable info from that and use it to your advantage, if you were of such a bad person to do so.

      In terms of

      • Re:People are stupid (Score:5, Informative)

        by BronsCon ( 927697 ) <social@bronstrup.com> on Wednesday April 06, 2016 @03:25PM (#51855169) Journal
        You can buy USB drives in bulk for under a buck a piece, they don't need to be high-capacity, a 128MB drive can hold a shitload of malware. $5 might be a bit on the expensive side to infect a random machine that may not even be your target, but $75 to infect 100 machines is cheap for a targeted attack.
      • Re:People are stupid (Score:5, Interesting)

        by Dutch Gun ( 899105 ) on Wednesday April 06, 2016 @04:13PM (#51855643)

        It might be a pretty effective way to go spearphishing though. If you're trying to get into a specific high-value network, then this might be a great way to do it. Drop it outside the target office, label it something like "Private photos - do not view!" or something like that, and watch human nature take over.

        Hopefully the administrator has properly hardened workstations against executing code on a random USB, but I'd bet a surprising number of networks would get infected in fairly short order.

        • by AK Marc ( 707885 ) on Wednesday April 06, 2016 @07:45PM (#51856987)
          You put 10 spread around the parking lot with the name/logo of the company, or a competitor (or try both and see which hits best), and someone will "be nice" and try to see whose it is to return it, or something like that. The real reason scams don't work as well as they should is that scammers prey on the weak (419 scams), rather than preying on the good people.

          And the people here claim that nothing can be hardened against USB. It could look like a memory stick, but have a keylogger that loads as a HID (often allowed for all), and has a USB-powered 3G modem for calling home and sending the keystrokes. Just blocking USB-loaded software won't do any good when you run into an attacker smarter than you.
    • by Tablizer ( 95088 ) on Wednesday April 06, 2016 @03:36PM (#51855281) Journal

      No, the people are NOT stupid.

      Logically a data drive should have data and only data from the computer's perspective, and not run any executables or scripts on it without first explicitly asking. It should be designed that way from the start. That's how Vulcans would design it.

      The fact that it's so easy for hackers to bypass what SHOULD be normal and expected is a failure of the technology and/or standards, NOT of consumers.

      • No, the people are NOT stupid.

        Thousands upon thousands of years of history disagree.

    • I don't expect a screwdriver to mistrust all screws until trust can be established, and only turn screws that it trusts.

      Is a computer a tool, or is it the wonderful new mechanical brain that will soon replace the meat in my skull?
      • by green1 ( 322787 ) on Wednesday April 06, 2016 @05:09PM (#51856067)

        Does your screwdriver jump up off your workbench and randomly start unscrewing things without asking first?

        The problem isn't that you can run harmful code off a storage device, that's a know problem with an easy solution (don't be a moron). The problem is that the computer will AUTOMATICALLY run harmful code off a storage device by default unless you've done something to prevent it.

        As long as a computer does what I ask it to, I can know what risks I'm taking, but if I can't even know if a USB stick is harmful until after it has done the harm, that's incredibly poor design.

      • I don't expect a screwdriver to mistrust all screws until trust can be established, and only turn screws that it trusts.

        If your screwdriver could unscrew stuff by itself without your permission, you probably shouldn't trust it.

        -

        Is a computer a tool, or is it the wonderful new mechanical brain that will soon replace the meat in my skull?

        For some people, it's both.

    • by Megol ( 3135005 )

      Operating systems are stupid.

  • The chance of getting juicy selfies are a lot higher than getting infected.
    Kind of like picking up an unknown person in a bar and having sex. Maybe even better odds or not getting infected. The study did not compare this.

  • by cyber-vandal ( 148830 ) on Wednesday April 06, 2016 @02:53PM (#51854819) Homepage

    Does Windows still run things automatically from external media. I thought that had been changed in Win 7.

    • by gstoddart ( 321705 ) on Wednesday April 06, 2016 @02:56PM (#51854857) Homepage

      You pretty much need to disable it yourself, which means you need to know to do it.

      Microsoft still treats auto-run like it's not a terrible idea.

      It's actually kind of scary that anybody would keep doing that.

      As far as I can see, Windows still excitedly runs anything it sees.

      • Re: (Score:3, Insightful)

        by Anonymous Coward

        A security n00b I see. You assume that it'll detect as storage and automatically run some executable. It's not hard to make a USB stick recognize as a keyboard and then have it start running commands, including opening a web browser and downloading anything needed to compromise your system. Never forget what can be done with a simple keyboard.

        Besides, Windows doesn't autorun anything, it pops up a dialog and asks the user what they want to do.

        • by SQLGuru ( 980662 )

          Just take a look at the USB Rubber Ducky sold by Hak5 (https://hak5.org/store). It'll emulate a keyboard and has a lot of available scripts for "penetration testing". I don't recommend going to that site from work since many businesses will treat it as a hacking site (even if the information is pertinent to your work).

      • Microsoft still treats auto-run like it's not a terrible idea.

        Although Microsoft is certainly guilty of a lot of really bad design decisions, they are not alone. Almost every company that produces software seems to operate as if they've given zero consideration to security.

    • Re: (Score:3, Informative)

      by Anonymous Coward

      The larger threat isn't old school "autoplay.exe" style infections. The real fun is in storage media that compromises a host by mere virtue of popping up on the bus following insertion, with no visible userland code execution required. -PCP

    • by Anonymous Coward on Wednesday April 06, 2016 @03:10PM (#51854987)

      First, malicious USB devices pretended to be CD readers because Windows would auto-run CDs but not mass storage (see U3, for supposedly non-malicious exploitation of this fact)

      Then Windows started prompting the user before auto-run from CD drives also.

      So now malicious USB devices present themselves as a keyboard and start typing commands (including hotkeys such as Win+R) to download and run malware off the net. USB keyboards can even interact with UAC prompts, even when presented on the Secure Desktop where software input emulation has no effect.

      • This seems pretty easy to deal with. First off, a USB stick acting as a keyboard probably isn't going to get too far if it's plugged into a non-Windows computer, because all those hotkeys assume a Windows OS and probably won't work in a different environment.

        But aside from that, the easy way to deal with this problem is to simply ask the user if they want to use the new keyboard they plugged in as a keyboard, or something to that effect (and only accept input from previously-known input devices until this

        • by lgw ( 121541 ) on Wednesday April 06, 2016 @03:36PM (#51855291) Journal

          Bit of a bootstrapping issue there. When you plug in your first mouse or keyboard, what would you use to click "yes"?

          • How about any unrecognized keyboard pops up with a window that says in big-bright letters, "You've just plugged in a new keyboard. Please type the following randomly-generated code into your keyboard to verify that you want to use this keyboard." It may be a bit annoying, but it only happens the first time you plug in a keyboard. In order for a malicious fake-keyboard to be recognized, the user either needs to type in the code anyway (which requires a certain level of stupidity) or the fake-keyboard need

            • by lgw ( 121541 )

              And if the keyboard is a barcode scanner? Or a mini gaming keyboard with only the keys near WASD?

        • our ke breaks.
          ou bu a new keboard.
          ou plug it in.
          Windows asks if ou want to use the new keboard.
          ou can't hit to accept.

          Alsoourspacebarbreaks.

          Andourenterkeorarrows.Andourmousetoo.OrmabeouunpluggedanofthemandpluggedthemintoadifferentportsoWindowsthinksthe'renewdevices.

      • by cfalcon ( 779563 )

        Right, but unlike the other stuff, this one is pretty challenging. One reasonable guess might be to use the USB keyboard if and only if there's no other USB keyboard on the device, and prompt for if you meant to attach a keyboard if there's one present. This could also be done if there's either a keyboard OR a mouse. But if both are absent, and you plug in a keyboard or an attack drive that is secretly a keyboard, how on earth could you tell?

        The fact that keyboards and mice are USB is the core issue- tha

    • by sims 2 ( 994794 )

      it was changed in vista actually.

      Back in winxp you could use something like ihound on your flashdrives to keep track of them.

      http://www.cbsnews.com/news/re... [cbsnews.com]

      But then vista wouldn't do the auto run so AFAIK no one else has made a lojack for flash drives.

  • This is what my old PIII box is for, testing suspicious devices and software.

  • by gurps_npc ( 621217 ) on Wednesday April 06, 2016 @02:56PM (#51854861) Homepage

    1) Given: People will take a random USB stick and plug it into a computer.

    2) Conclusion: Only a moron will design an Operating system that automatically runs software on a USB stick. Any sane OS designer should declare all USB sticks to be suspect, and require an explicit confirmation before running any executable on it.

    The minimal convenience of having auto-run for USB drives is far over-ridden by the huge security leak.

    Design products for the people that will run it, not theoretical angels that will read and obey your instruction manuals - especially when they DO NOT COME WITH INSTRUCTION MANUALS anymore.

    • by cfalcon ( 779563 )

      How do you distinguish betwixt an attack keyboard versus the user plugging in a real keyboard?

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      USB drives can be set to short circuit a motherboard.

      Conclusion: Don't plug unknown USB drives into your computer.

    • by ashshy ( 40594 )

      Design products for the people that will run it, not theoretical angels that will read and obey your instruction manuals - especially when they DO NOT COME WITH INSTRUCTION MANUALS anymore.

      And if there is a manual, it was probably delivered on a USB stick.

    • 2) Conclusion: Only a moron will design an Operating system that automatically runs software on a USB stick. Any sane OS designer should declare all USB sticks to be suspect, and require an explicit confirmation before running any executable on it.

      The OS is not the problem. OSes haven't auto-executed content on USB sticks for a long time. The problem is the USB subsystem itself. A stick could enumerate as any number of devices, including a keyboard and mouse and take control of the computer as the current user with absolutely zero possibility for the OS to do anything about it.

      A USB device has also shown to do actual damage to hardware without the OS even running or the computer even being turned on.

      Stop trying to idiot proof things. That never works

  • Mr. Robot (Score:5, Informative)

    by show me altoids ( 1183399 ) on Wednesday April 06, 2016 @02:59PM (#51854891)
    There is a scene in Mr. Robot where a girl dumps a bunch of infected USB stick in the parking lot of a police station, and a cop picks one up and plugs it into his computer. I thought this was rather far-fetched, but I guess not.
    • Re: (Score:2, Informative)

      by Anonymous Coward

      Many of the attack-vectors displayed in Mr. Robot were so used because they have been successful in the real world.

  • Turn off autorun (Score:4, Interesting)

    by cmiller173 ( 641510 ) on Wednesday April 06, 2016 @03:00PM (#51854899)
    I turned off autorun on any external media a long time ago, back when sony cd's were injecting rootkits under the guise of DRM circa 2005. Nothing on insertable media autoruns on my PC.
    • I turned off autorun on any external media a long time ago, back when sony cd's were injecting rootkits under the guise of DRM circa 2005. Nothing on insertable media autoruns on my PC.

      Just a quick question.

      Suppose the device identifies as a USB keyboard, or identifies as a dual use device USB stick/keyboard?

      Suppose the keyboard device is generic, doesn't require a driver, and the micro on the USB stick starts to type things on your computer.

      Could that install malware on your system?

      (Of course, I didn't need to identify keyboard devices specifically. There are a bunch of devices that a USB device can identify as, some of which allow data to be loaded onto your computer.)

      • I generally don't run with full admin privileges (ability to install) on my system, although that would certainly work on my wife's laptop. I really gotta get her PC locked down, damn the inconvenience.
    • autorun is not the only vector. Years ago, I read about an attack that used vulnerabilities in the program (under Linux, I can't remember which desktop environment) that creates thumbnails from images. The advantage of this approach is that the USB stick can contain 1000s of images, each of which can try a slightly different attack.
  • by Thud457 ( 234763 ) on Wednesday April 06, 2016 @03:01PM (#51854903) Homepage Journal
    USB drives?!

    How about blindly trusting USB chargers from Alibaba/ebay?!
    Or assuming that new USB-C cable from Amazon won't set your house on fire?!!!
    • I just want to add that Amazon is only selling certified USB-C cables from now on. IT was a problem they decided to nip in the bud early.
    • I've busted apart some of those Ali/Ebay/Banggood USB chargers out of sheer morbid curiosity. Those things are so cheaply constructed that it is a physical impossibility that they would successfully negotiate a USB data connection. Even the supposed "hubs" lack capacitors, or even crystals for the controllers. Many of them even save money and omit the diode meant to prevent wall-wart supply voltage from feeding back to the host computer. They are way too busy ripping you off the old-fashioned way to take on

  • I heard of dropping random USB sticks in public places (10?) years ago for testing security (IIRC in the context of testing banks). That along with strategically dropping CD's in the bathrooms of companies with the CD's marked something like "Super secret HR layoff plan"

  • people picking up random hookers and plugging into them.

  • by wjcofkc ( 964165 ) on Wednesday April 06, 2016 @03:04PM (#51854931)
    You quickly drive through the employee parking\entry area of a bank. You toss half a dozen, maybe less, infected USB drives out your window on the way. I've only ever heard of that testing method used on banks, by genuine, hired security firms, but I imagine it could go a lot further. Needless to say it generally results in "Yay! free USB drives! Let's plug em in!" Then something phones home.

    People are simple like that. Every so often someone asks me what the best way to crack (misc.) password is. I tell them to ask for it.
  • "a USB stick given away at a trade show is automatically good." the hell ever gave you that idea? a USB stick in original packaging could have malware all up ins for all you know.
  • USB authorization (Score:5, Informative)

    by rastos1 ( 601318 ) on Wednesday April 06, 2016 @03:08PM (#51854969)
    That's why we have USB authorization [kernel.org]. Since 2007.
  • by Pfhorrest ( 545131 ) on Wednesday April 06, 2016 @03:08PM (#51854971) Homepage Journal

    What kind of dumb OS autoruns anything off of any volume the moment it's connected without any request from the user?

    Oh right, Windows. Well, there's your problem.

    • Re: (Score:3, Interesting)

      by Anonymous Coward

      It doesn't even have to involve autorun: https://www.blackhat.com/us-14/briefings.html#badusb-on-accessories-that-turn-evil

      Once reprogrammed, benign devices can turn malicious in many ways, including:

      A device can emulate a keyboard and issue commands on behalf of the logged-in user, for example to exfiltrate files or install malware. Such malware, in turn, can infect the controller chips of other USB devices connected to the computer.
      The device can a

  • Blame the OS? Nope. I'll blame the Operator, not the Operating System.

  • The intro says: "The problem isn't that people are idiots..."

    Let's stop right there. I know for a fact that this premise is wrong.

  • by U2xhc2hkb3QgU3Vja3M ( 4212163 ) on Wednesday April 06, 2016 @03:12PM (#51855005)

    As a Canadian, I cannot trust either China nor the USA about spyware and trojans. This means that unless the USB drive is made of wood and smells like maple syrup, I don't trust it.

  • The sun rose in the East today and set in the West. More at 11.
  • From Wired in 2011 The dropped drive hack [wired.com].

    ...They say that Stuxnet got deployed like this. Awesome hack, Stuxnet....

    Staff secretly dropped computer discs and USB thumb drives in the parking lots of government buildings and private contractors. Of those who picked them up, 60 percent plugged the devices into office computers, curious to see what they contained. If the drive or CD case had an official logo, 90 percent were installed....

  • Commvault gave away as swag a few years ago (2011 I believe), a device that looked like a common trade show USB key. However instead of being an actual useful USB key, (it wasn't even a storage device) it behaved like a USB keyboard, upon loading, hit winkey - R, and typed in a webpage, (you could see the letters type across the screen). When I first saw those, it wasn't hard to imagine how easily those could be abused for just this scenario. Heck, you could theoretically have it do all kinds of sneaky

  • Did they account for people who opened and looked at the USB key, but their computer did not auto-run whatever was on there that phoned home? What about people who have the auto-run disabled in Windows, or people who run a smarter OS, like perhaps Linux or Mac or BSD? (I'm not actually sure if these OS's are smarter than Windows, but it seems like they might be.)
  • In 1989, people would plug random floppies into their computers. At least one early computer virus was spread that way. The more things change...

  • I have mixed feelings every time I see this. Every time I see one of these articles come across, there's a flood of comments about how its not news, and each time I see it I lean closer to the notion that this paradox of "non-news" that in and of itself is caused by a lack of awareness(which can only be remedied by news) might be dragging along by the dead weight of our habit to only share this knowledge with the tech crowd that already knows about it. This knowledge can only do so much unless it makes its
  • It has a small chance to have porn content, or at least, nudes! I can take that risk!
  • The problem is that the OS will automatically run a program that can install malware from a USB stick.

    Mine doesn't. I know of no Linux or BSD machine that automagically runs any kind of +x'ed code on any kind of removable media.

    At least not out of the box. Gee, I wonder what OS is designed for "convenience" rather than protecting the user, and their computer.

    Does it start with a W?

    --
    BMO

  • If you put a floppy in your computer, would it autoplay? No.

    Do your external hard drives autoplay when you put them in? Nope!

    The issue here is the bullshit autoplay. CDs and DVDs are guilty of that as well. I have no idea why it's a default feature on computers... the default should be to just open the volume like a drive to allow you to peruse the files on the medium and select what you want to open.

    IMO this is a HUGE failure on the OS and whoever decided to allow Auto Play to be a thing.
  • The problem isn't that people are idiots

    Yes, it is. Would you pick up a random needle off the street and stick it into your vein, then wonder how you got AIDS? Would you stick your dick in some random person you found behind a 7-11, then wonder how you got the clap? It's not the computers fault you stuck an unknown, infected USB drive in it. Take some responsibility for your actions already. This is absolutely nobody's fault but your own, so stop doing stupid shit and then playing the victim card.

    The problem is that it isn't safe to plug a USB stick into a computer.

    Bullshit. It's perfectly safe to insert a USB sti

  • Should we also mock Bruce for saying:-
    "The problem isn't that people are idiots, that they should know that a USB stick found on the street is automatically bad and a USB stick given away at a trade show is automatically good."

    I would say the latter is still suspect, what with Bad-USB firmware and other stuff, just because someone you trust gives you something, the trust does not extend to the something.

  • First person to invent a cheap, provably secure, not-already-patent/intellectual-property-encumbered "USB condom" (really, a very small computer) that sits between my computer and a USB stick which disables boot, Windows-auto-run, device-driver shenanigans, and the like gets the win.

    --
    One of many possible ways to do this:
    * Assume the device is a generic USB memory stick. If it's not, fail.
    * If it is, attempt to access the files using generic methods. If it doesn't work, fail.
    * If it's not a recognized fil

  • I think this story runs once a year, choir having been preached to, problem continues.

It's fabulous! We haven't seen anything like it in the last half an hour! -- Macy's

Working...