You know what they say about curiosity.
In the age of the smartphone and constant mobile connectivity to the internet, USB drives might not be quite as useful as they once were, but they're still an indisputably handy way to carry your personal files around.
And because of that, when people see a random USB drive just lying on the ground, it's a perplexing dilemma. Should you pick it up? Take a look at the data you find on it, and maybe try to return it to its owner? What about malware, is there a security risk? Regardless of what goes through people's minds when they face this situation, a new study has found that discarded USB drives lying around in public will definitely not go unnoticed.
A team from the University of Illinois Urbana-Champaign dropped 297 USB drives around the uni grounds, leaving them in places like parking lots, hallways, classrooms, libraries, and cafeterias. They found that almost half of the data sticks (and possibly a lot more) ended up being used in a computer, and almost all of them (98 percent) were picked up and removed from where they were originally dropped.
To track what people did with the USB sticks when they found them, the researchers put HTML documents on the drives, masquerading as files called "documents", "math notes", and "winter break pictures". When somebody discovered these files on the drive and tried to open them with an internet-connected computer, the researchers were notified.
Amazingly, despite the potential risks of executing these random files, people did so with 45 percent of the discarded USB drives – representing 135 instances of users opening the files. It's entirely possible that many more of the USB drives were inserted into computers too – the researchers were only notified if the HTML files were opened (and even then, only if the computer was online at the time).
So are people just nosey snoops who can't resist rifling through others' personal data? Not necessarily.
When people opened the HTML files on the drive, they were informed about the experiment (in which they had so far been an unwitting participant) and invited to complete an anonymous survey. This gave them a chance to provide some information about themselves and explain what had motivated them to pick up and use the drive in the first place.
Less than half of the 135 users at this point opted to continue the experiment, but 43 percent did provide feedback. Most of the respondents (68 percent) said they wanted to return the drive to its owner, while 18 percent acknowledged they were merely curious about the contents. Two people admitted they just personally needed a USB drive!
Some of the USB drives had been put on key rings with dummy house keys, and many of the participants indicated that this encouraged their altruistic intentions, as it added an extra sense of urgency to returning the keys (ie. the owner might be locked out of their house).
But the study found that people with good intentions still let their curiosity get the better of them, opening things like personal photos on the drives. You could argue that seeing what the owner looked like would help you find the owner of the keys, but it would be nowhere near as efficient as just opening the "personal résumé" file on the drive to look up their contact details.
The findings, which are being presented next month at the 37th IEEE Symposium on Security and Privacy in California, also highlight just how unaware or unconcerned we can be about the potential security risks of opening unknown files on randomly found devices.
Over two-thirds of respondents admitted they had taken no precautions before connecting the drive to their computer. "I trust my Macbook to be a good defence against viruses," said one, (bad move) while others admitted opening the files on university computers to protect their own personal gear.
"This evidence is a reminder to the security community that less technical attacks remain a real-world threat and that we have yet to understand how to successfully defend against them," the authors write. "We need to better understand the dynamics of social engineering attacks, develop better technical defences against them, and learn how to effectively teach end users about these risks."
As lead researcher Matt Tischer told Lorenzo Franceschi-Bicchierai at Motherboard, despite the ridiculousness of these kinds of experiments, the study shows that people, regardless of their motivation, aren't cautious enough when it comes to opening unknown files on totally random drives.
"It's easy to laugh at these attacks, but the scary thing is that they work," he said, "and that's something that needs to be addressed."