Curious people can’t resist plugging in random flash drives


Quiz time:

You’re waiting for your train. You spot a flash drive on a bench.

Do you:

  1. Pick it up and stick it into a device?
  2. Leave no stone unturned to find the owner, opening text files stored on the drive, clicking on links, and/or sending messages to any email addresses you might find?
  3. Keep your hands off that thing and away from your devices, given that it could be infested with malware?

Of course, option 3 is the only security-wise course of action.

But in a recent study, 17% of people chose options 1 and 2 – hey, free thumb drive! Wonder who lost it…? – and plugged in those suckers.

The company behind the research is technology certificate provider CompTIA.

It recently littered four US cities – Chicago, Cleveland, San Francisco and Washington, D.C. – with 200 unbranded, rigged drives, leaving them in high-traffic, public locations to find out how many people would do something risky.

The nearly one out of five users who plugged in the drives proceeded to engage in several potentially risky behaviors: opening text files, clicking on unfamiliar web links or sending messages to a listed email address.

CompTIA president and CEO Todd Thibodeaux:

These actions may seem innocuous, but each has the potential to open the door to the very real threat of becoming the victim of a hacker or a cybercriminal.

Just how risky is such behavior?

In 2011, Sophos studied 50 USB keys bought at a major transit authority’s Lost Property auction, finding that 66% of them – 33 – were infected.

Obviously, lost flash drives carry risk both to the finder and to employers: somebody who picks up an infected drive can spread infection onto not only their own devices, but also onto his or her company’s systems in these days of bring your own device (BYOD).

Sophos’s Ross McKerchar cooked up this list of 5 mobile device risks to a business, of which flash drives is one.

He suggests that if employees are allowed to use portable USB storage, then “make sure you scan, scan, scan…”

CompTIA says that a dearth of cybersecurity training for employees is part of the problem.

Beyond scattering flash drives around cities, the company also commissioned a survey of 1200 full-time workers across the US, finding that 45% say they don’t receive any form of cybersecurity training at work.

Other cyberthreat findings from the study:

  • 94% regularly connect their laptop or mobile devices to public Wi-Fi networks. Of those, 69% handle work-related data while doing so. This isn’t surprising: past studies have found that most people (incorrectly!) think that Wi-Fi is safe.
  • 38% of employees have used their work passwords for personal use.
  • 36% use their work email address for personal accounts.
  • 63% of employees use their work mobile device for personal activities.
  • 41% of employees don’t know what two-factor authentication (2FA) is.
  • 37% of employees only change their work passwords annually or sporadically.

Age plays into risky behavior: the study found that 42% of Millennials have had a work device infected with a virus in the past two years, compared with 32% for all employees. What’s more, 40% of Millennials are likely to pick up a USB stick found in public, compared with 22% of Gen X and 9% of Baby Boomers.

In keeping with a lower security risk awareness in the young: 27% of Millennials have had their personal identifiable information (PII) breached within the past two years, compared with 19% of all employees.

Besides the risk of infection via plugging in lost devices, lost flash drives can also lead to loss of personal details, given that most users don’t secure the data they store on such devices or the devices themselves.

That was one surprise uncovered in Sophos’s lost-drive research: not a single one of the lost drives was encrypted. Nor did they appear to contain any encrypted files.

Some takeaways:

An infection rate of 66% means there are a lot of malware-spreaders in our midst. Assume that a lost USB stick is likely to be an infected USB stick, so don’t plug it in.

Encrypt personal and business data before you store it on a USB device so it can’t be accessed if you lose it.

Image of USB flash drive courtesy of