Listen, I get it. When you find a random USB stick laying around somewhere, it’s tempting to snatch it up and plug it in to your computer. Maybe it’s curiosity. Who knows what interesting stuff might be on there. Or maybe you’re just trying to help reunite the data drive with its rightful owner.
But that’s exactly the wrong thing to do. It’s a really bad idea to plug anything of unknown origin into your computer, as highlighted by a new study out of the University of Illinois.
Researchers there littered the campus with nearly 300 USB drives. The drives were loaded with files that, when opened on an Internet-connected computer, told the researchers somebody had found the drive and opened something. By the research’s conclusion, people picked up 98% of the dropped drives, while somebody opened at least one file on 45% of them.
That latter group is awfully lucky. There was nothing nefarious on the researchers drives — just the tracker files and a link to an anonymous survey. Of the people who decided to answer that questionnaire, 68% said they grabbed the drive to find its rightful owner. (That number could be inflated by respondents’ desire to look better.)
But the drives could have been much more dangerous. Hackers view USB devices as an “attack vector” — that is, a vulnerability that can give them access to a single computer or network. Get somebody to connect a malware-infected drive into a PC, and you’re in. Most famously, it’s believed that a USB drive delivered a computer virus into Iranian computer systems that damaged a nuclear facility in that country in 2009-10. That 45% of this study’s respondents opened an unknown file on a mysterious drive shows just how effective this kind of attack can be.
The takeaway: Just like with email, don’t open anything you don’t trust — even if you’re trying to be a good citizen.