Chalk it up to the fact that homo sapiens have always had to find new ways of adapting to survive, we humans are curious, perhaps even nosy, creatures. The burning “need to know” is what powers innovation and propels discovery (because, ya know, circle-shaped wheels move a whole lot better than square-shaped ones do) and it’s what keeps us following the Kardashian’s Twitter posts, no matter how ridiculous they are.
And guess what? Hackers know about this odd facet of human nature too, and they are just tickled pink to use this vulnerability against you. In fact, the innate “need to know” is one of the most potent factors compromising security and privacy.
Accordingly, last week Google, The University of Michigan and The University of Illinois Urbana-Champaign released a study in which they distributed 297 USB sticks all around the Illinois University campus in random places. The goal of the study was to see how many people would actually pick up and plug in the sticks even though doing so is clearly not a smart idea. Think back to when you were a kid – You know your mom would have killed you if you ever put a candy that you found just lying on the sidewalk in your mouth. The same thing here – Plugging in a device you found just lying around can spell disaster.
Curiosity killed the computer
So just how bad of an idea is it to plug in a random USB stick that you happen to find? Think about it this way – When you plug in a USB, external hard drive or basically any device into your computer, you end up potentially subjecting your PC to whatever is on the external device. So that could be pictures from all your family vacations from 2010-2016, inventory spreadsheets from your boss from the past two quarters or whatever malware or spyware a sneaky hacker put onto the stick, just hoping, more like knowing, you would open up.
So how did the experiment go?
Surprise surprise, in the end, 48% of the distributed USBs were plugged in, and generally within 6 minutes of being dropped off. Of the opened sticks, only 16 % of finders used any sort of virus scanner and 68% took no precautions at all. The study also found that again, 68% said they only opened the stick to locate the owner, proving that the road to total PC wipeout is paved with good intentions.
In truth, this is better than the results of a study commissioned by the Department of Homeland Security in 2011 in which 60 % of randomly distributed drives were plugged in to office computers. And if there was an official-looking logo on the drive, a scary 90% of drives were plugged in.
Some researchers are quick to point out that the idea of using random USBs to distribute malware is typically employed as part of a targeted attack on corporations and wouldn’t generally be the vector of choice for untargeted attacks. Still and all it’s a bad idea to take the risk – and if that burning need to know is just too powerful, take precautions before you plug by uploading the file to VirusTotal which will alert you to any hiding malware and install an anti malware program like RCS which will catch any lingering malware that might be on your PC after you upload whatever is on the stick.
But is it really worth it?
Okay, it’s probably not about the price, because for the price of skipping your next two cafe lattes at Starbucks you could get a new drive. What’s driving you here is your own nosy nature. So now would be a great time to exercise your self restraint muscles and follow the old axiom of “When in doubt, throw it out”. If you don’t, you might just have a whole computer that’s worthy of being trashed.