Skip to main content
  1. Home
  2. Computing
  3. News

Malware alert — don’t plug in that USB stick you found on the street

Bruce Brown
By

USB drop attack demo - Blackhat USA 2016
Be careful, that “found” USB drive may hold malware that’s just waiting for you to plug it in. Maybe you consider a found USB stick a chance to do a good deed by returning it to its owner — if you can discover who the owner is. Or maybe you’re curious and just want to see what’s on the removable storage drive. Whatever your reason for picking it up and plugging it in, that “lost” USB stick may be bait waiting for someone to hurt, according to Tom’s Hardware.

Google anti-abuse team researcher Elie Bursztein tested the effectiveness of using “lost” USB memory  to spread malware on a college campus. In Bursztein’s study, almost all of the USB sticks (97 percent) were picked up and almost half (45 percent) were plugged into computers where someone clicked on the stored files. In further testing, Bursztein found that USB sticks with labels such as “Exams” or “Confidential” were more likely to be opened than unlabeled drives while sticks with return addresses were less likely to be opened.

The threats from USB drives can come in several forms. HTML files or executable files stored on the drive could activate malware to infect the system in the background while running innocuous programs in the foreground. Users could be sent to a phishing site that would attempt to steal personal information. Alternately, activated code could search the computer’s files for personal credentials and then attempt to send them back to the hacker or to the cloud for later retrieval.

USB devices that resemble memory sticks but are really keyboard spoofers could be programmed to allow remote access and signal a hacker that the computer is open and ready for whatever the hacker intends.

It’s also possible to use USB sticks to mount zero-day attacks that exploit known software vulnerabilities either before vendors patch the hole or before users download updates. According to Bursztein, zero-day threats are less likely to be spread with randomly “lost” USB sticks due to the cost and complexity of altering firmware. You are more likely to be hit with malicious files or to pick up a keyboard-spoofer.

In any case, the best advice is to resist the temptation to pop a “found” USB stick into your computer just to see what’s on it. Bursztein demonstrated how a USB drop attack could work at Black Hat USA 2016.

Editors' Recommendations

Why I still use Microsoft’s Office suite instead of Google’s free options

Computer user touching on Microsoft word icon to open the program.

Windows 11 vs. Windows 10: Is the upgrade worth it?

Windows 11 and Windows 10 operating system logos are displayed on laptop screens.

OneDrive is getting stories, but it’s not what you expect

OneDrive Stories feature.

Websites are constantly tracking you — but Firefox has a fix

Mozilla Firefox image. Credits: Mozilla official.

With Tesla bleeding money, Elon Musk initiates hardcore spending review

Tesla Model Y front

Best HP laptop deals: Get a new laptop for $379

A woman video chats with her friends on an HP Envy laptop.

The best movies on Apple TV+ right now (July 2022)

Andrew and David sit at a dinner table together in Cha Cha Real Smooth.

F1 2022 performance guide: Best settings for high frame rate

F1 cars round a corner in F1 22.

The best weapons in Call of Duty: Warzone for Season 4

New Operators in watch tower in Call of Duty: Warzone.

What’s new on Apple TV+ this month (July 2022)

Paul Walter Hauser and Taron Egerton in Black Bird.

Best smartwatch deals for July 2022

Best iRobot Roomba deals for July 2022

irobot roomba 680 walmart robot vacuum deals

Fire TV Stick vs. Fire TV Stick 4K Max vs. Fire TV Cube: Which to buy?

Amazon Fire TV Stick 4K Max