Photo: Antonio Guillem (Shutterstock)
Let’s set the scene: You’re out in the world, doing what you do, when you stumble upon an abandoned USB flash drive. What could be inside? Perhaps it’s simply someone’s spreadsheets from work—maybe alongside some information identifying the owner, allowing you to return it. But also, maybe government secrets? The only way to find out is to plug it into your computer and investigate. Here’s the thing, though: Don’t do that.
Sure, the USB device you found could be perfectly innocent, unknowingly dropped by someone taking the same path as you. However, it could also be a trap, designed to prey on your curiosity, and that when you decide to plug it into your personal computer, all you’ll find on it is malware.
Malware-infected USB devices are a real problem
Although it might sound like something out of the movies, people really do infect USB devices with malware and drop them for unsuspecting victims to find. Targets range big and small, with the highest profile hack likely being against Iran in 2010: one such attempt infected the country’s nuclear facilities with Stunext malware, despite the entire system’s disconnection from any internet communications.
In less high-stakes cases, it might seem like a rather roundabout and random means of attack. After all, phishing emails and texts can be sent directly to marks, while a USB device must be first picked up then plugged in order for it to work.
As it turns out, the chances of someone plugging in a strange USB are pretty high. One study dropped nearly 300 USB devices through a “large college campus,” and found that 98% of the devices were picked up by students and staff, and nearly half decided to plug in the USB device to their computer—with the first connection happening six minutes after the study launched. All that to say, there’s likely a return on a hacker’s investment in this scenario.
This isn’t a new problem. The US-CERT (Computer Emergency Response Teams) issued a warning in 2008 about malware-infected USB devices. Before that, floppy disks were used in a similar way. And while we might have moved away from physical storage in favor of the cloud, USB devices are still ubiquitous enough to pose this threat.
It’s difficult to say how common this threat really is, but with cyberattacks on the rise, it’s always better to be safe than sorry. Avoiding connecting a strange USB device to your personal computer is simply a cybersecurity best practice, just as not reusing the same password twice helps keep your accounts safe.
That said, if you can’t fight off your curiosity, you aren’t totally out of options (although you might be stepping into unethical territory). In a Reddit thread on the subject, one user describes how they take each USB device they find to a Best Buy to test on the store’s computers. I won’t vouch for this method, since I can’t condone risking the store’s property, but the general idea—check the USB out without risking your personal device and information, or the information of anyone else—is sound. Which is good, since, let’s be real: You’re definitely going to plug that USB device in.