A recent study reached a disturbing conclusion – users really do plug in random USB drives they find. The researchers scattered 297 flash drives throughout the University of Illionis Urbana-Champaign campus. They found that the attack had an estimated success rate of 25-98%, with a median time to connection of only 6.9 hours (with the quickest being just six minutes). After connecting the drives, the subjects were presented with a survey to better understand their thought processes. It was thus found that:

68% of respondents connected a drive to locate its owner

18% connected a drive out of curiosity

68% took no precautions prior to connecting the device

Of those who considered protective measures: 16% scanned the drive with anti-virus software 8% believed their operating system would protect them



The study indicates that a social engineering attack of this nature would almost certainly work, as the USB drives can be configured to carry malware. This should give all of us a moment’s caution, particularly those employed in IT security.