Researchers from the University of Illinois, the University of Michigan and Google published “Users Really Do Plug In USB Drives They Find.” The report covers the controlled experiment where researchers placed nearly 300 USB thumb drives around the University of Illinois campus and watched to see what happened when someone found them.
The study found people will insert found thumb drives in their equipment. Specifically, they found an estimated 45% to 98% of the thumb drives were picked up and connected by participants. Regardless of whether people insert these drives because they are merely curious or whether they want to find the rightful owner, this study confirms employers’ data is at risk even if an employee isn’t connected to the Internet.
Researchers “measure[d] the efficacy and speed of the attack by replacing expected files on the drive with HTML files containing an embedded tag that allows us to track when a file is opened on each drive without automatically executing any code.” Once the data was accessed, researchers “offered participants the opportunity to complete a short survey,” which asked “why they connected the drive, the precautions they took, demographic information, as well as standard questions to measure their risk profile and computer expertise.”
The experiment found 8% of users indicated that they took no precautions when connecting the drive while 16% scanned the drive with their anti-virus software and 8% believed their operating system or security software would protect them, e.g., “I trust my MacBook to be a good defense against viruses.” Meanwhile, another 8% sacrificed a personal computer or used university resources to protect their personal equipment.
Based on these findings, researchers found that an attack through thumb drives “would be effective against most users and that the average person does not understand the danger of connecting an unknown peripheral to their computer.”
While this experiment delivered the bad news that hackers could have access to a network without an internet connection, the good news is that the majority of people connected the thumb drive to their computers in order to find its rightful owner to return it. This bit of good news had one last caveat, “while the users initially connect the drive with altruistic intentions, nearly half are overcome with curiosity and open intriguing files—such as vacation photos—before trying to find the drive’s owner.”
This experiment demonstrates something we have seen time and time again. Despite the safeguards that technology offers to protect data, in the end, data protection will only work if employees use the technology as intended. Once again, employee training is the most effective way to reach people. The practical implication of this experiment is that hackers can access a system even if it is not connected to the Internet. From an insurers’ perspective, this experiment shows the importance of an application process that measures both the technology used by a policyholder as well as information concerning the training employees receive to use that technology.