Physical Securitymedium

USB Drop Attack: 60% of People Plug In Dropped USB Drives

A University of Illinois study dropped 297 USB drives across campus. 98% were picked up. 45% were plugged in within hours. When the drives contained an HTML file designed to phone home, they reached a 98% opening rate.

University of Illinois / Security Research·2016·2 min read

Background

USB drop attacks exploit human curiosity. Attackers leave infected USB drives in parking lots, lobbies, and conference areas hoping recipients will plug them in. The technique was proven by Stuxnet (USB in Iranian facility) but the scale of general public susceptibility was not well documented until research studies.

The Attack

Researchers from the University of Illinois dropped 297 USB drives across the university campus with varying labels: blank, personal, confidential, and library labels. 290 of 297 were picked up (97.6%). Of those, 135 (45%) had the drive plugged into a computer. The researchers also distributed an HTML file that loaded when opened — simulating a phone-home beacon. 98% of drives had the file opened. Participants who were surveyed said they plugged in the drive "to return it to its owner" or out of curiosity. Only 16% said they were concerned about security.

Response

The research was published at the USENIX Security Symposium 2016. The results prompted security awareness campaigns. Organisations began implementing USB port blocking policies. The research was used in training programmes to demonstrate why USB controls are necessary.

Outcome

The study quantified what security professionals had long suspected: USB drop attacks have extremely high success rates. The "returning it to the owner" motivation is particularly interesting — it shows that attackers can exploit helpfulness, not just curiosity. The research directly contributed to the adoption of USB port blocking in sensitive environments.

Key Takeaways

  1. Block USB mass storage on all corporate workstations using Group Policy or MDM — the business case rarely justifies the risk
  2. Awareness training should specifically address USB drops and the social engineering angle of "returning to owner"
  3. If a USB drive is found, report it to IT security — never plug it in yourself
  4. Label and register all legitimate company USB drives to distinguish them from dropped devices
USB dropsocial experimentautorunphysical mediacuriosity attack

More in Physical Security

1995high

Kevin Mitnick Tailgating: How America's Most Wanted Hacker Walked Into Secure Buildings

2 min readPhysical Security
2020high

FIN7 BadUSB Mail Drop: Ransomware Delivered via Fake Amazon Gift Cards to Hotels

2 min readPhysical Security
2009medium

Dumpster Dive: Hospital Records, Credit Card Statements, and Patient Files in the Trash

2 min readPhysical Security