USB removable storage drives have been around for nearly two decades, as have concerns about how cyber criminals can use these small, inexpensive devices to spread malware and secretly steal data from protected networks. By now, you might think the average person knows better than to pick up a strange USB drive and plug it into their computer, but that’s not necessarily true. Despite warnings from infosec professionals and the media, end users’ natural curiosity and other emotions still makes them vulnerable to USB-based social engineering.
Removable drives are just one of many USB peripherals that can be used to compromise a computer, from wireless keyboards and external webcams to cheap novelty gizmos. USB connections are also common in Internet of Things (IoT) devices. Even a USB cable or phone charger—which might seem as harmless as an electrical extension cord—can be weaponized. In fact, researchers at Ben-Gurion University of the Negev in Israel recently identified 29 ways an attacker could use USB devices to compromise a computer.
Yes, USB Attacks Do Work
Whatever form it takes, a USB attack needs an unwitting person to connect the malicious device to a computer. In USB drops, attackers leave malware-laden USB drives near their targets—in parking lots or common areas, for example—and wait for a curious person to pick up the seemingly lost drives and plug it in. This strategy might seem like a long shot, but the combination of technology and social engineering is remarkably effective.
In fact, a 2016 research study on USB drops revealed an estimated success rate of 45–98%. In a controlled experiment, researchers left nearly 300 USB drives around the campus of the University of Illinois at Urbana-Champaign. The drives were loaded with .html files that would generate notifications if opened.
The results were sobering: People picked up 98% of the drives and opened one or more files on 45% of them. In other words, nearly half of the simulated attacks were clearly successful. It’s also possible that people plugged in the other drives that they found but didn’t open the files, which would also pose a serious security risk.
So, if an attacker left 10 USB drives around your organization’s building, how many do you think your users would plug in? Would they open the files on four or five of them, as the study suggests they might?
Taking Advantage of Altruism and Interest
It’s tempting to assume that the students and staff who plugged in the USB drives were security illiterate, but that’s not the case. Their answers to questions from the Security Behavior Intentions Scale (SeBIS) found no significant difference between those who plugged in a flash drive and the general population. Consequently, the researchers concluded that a USB attack “would be effective against most users and that the average person does not understand the danger of connecting an unknown peripheral to their computer.”
According to the study, people were initially driven to insert the USB drives through altruistic intentions: they hoped to return the drive to its owner. But once the drives were connected, nearly half of the people were “overcome with curiosity and open[ed] intriguing files—such as vacation photos—before trying to find the drive’s owner.” Attackers can use file names designed to pique curiosity on weaponized USB drives—a powerful social engineering technique.
“This evidence is a reminder to the security community that less technical attacks remain a real-world threat and that we have yet to understand how to successfully defend against them,” the researchers concluded. “We need to better understand the dynamics of social engineering attacks, develop better technical defenses against them, and learn how to effectively teach end users about these risks.”
A Proactive Approach to USB Risk
So, what can you do to reduce the risk of USB attacks in your organization? We recommend a proactive approach: assessing users’ vulnerability to these attacks, making them aware of how malicious USB devices can cause system infection and data loss, and teaching them how to avoid these threats. Our ThreatSim® USB Simulations allow you to identify end users that will pick up and use unknown USB drives, giving you actionable data about your organization’s vulnerability to a USB drop attack. After leaving USB drives around your facilities, you can track which drives are opened through our Security Education Platform.
Simulated USB attacks are a great way to quickly raise awareness of the threat and make employees more receptive to subsequent in-depth training on social engineering attacks and data protection. We offer a specific training module, USB Device Safety, that can be assigned to strengthen knowledge of best practices for end users who fall for a simulated attack.
We’ve recently enhanced our USB simulations product to offer self-service capabilities and greater flexibility. Customers can load their own USB devices and use them to launch campaigns at any time and in any quantity. And now we also now offer unlimited usage: no restrictions on the number of USBs you can distribute or the number of campaigns you can run.
Given the continued popularity of USB drives—and the expansion of the IoT and connected devices—reducing the risk of USB attacks is important to any organization’s cybersecurity. Try Proofpoint Security Awareness Training and see how we can deliver results for your organization, as we have for thousands of other customers.