USB Drop Attacks: The Danger Of “Lost And Found” Thumb Drives

Get a Customized Proposal

Thumb drives are used everywhere nowadays. Whether a generic metallic memory stick, a branded giveaway at an event, or cleverly disguised as Yoda or some other pop culture icon, these devices are universally embraced as an easy way to transfer data. But unfortunately, they are also loved by cybercriminals, who can use thumb drives to attack your computer.

In a Universal Serial Bus (USB) drop attack, cybercriminals leave USB devices for people to find and plug into their computers.  A Good Samaritan hoping to return the drive or a penny pincher hoping to pocket a new device for free inserts the “found” drive into their computer’s USB port. Then the trouble begins.

Three Main Types of USB Drop Attacks

Malicious Code
In the most basic USB drop attacks, the user clicks on one of the files on the drive. This unleashes a malicious code that automatically activates upon viewing and can download further malware from the Internet.

Social Engineering
The file takes the thumb drive user to a phishing site, which tricks them into handing over their login credentials.

HID (Human Interface Device) Spoofing
In a more sophisticated attack, the device looks like a USB stick but will trick the computer into thinking a keyboard is attached. When plugged into a computer, it injects keystrokes to command it, giving a hacker remote access to the victim’s computer.

The most advanced attack by USB exploits a hole in computer software the vendor only knows about once the attack is discovered. It’s known as a Zero Day attack because the hacker has acted before the developer can act to fix the vulnerability. These advanced cyber attacks can compromise a network in secret and provide an element of surprise.

Thumb Drive Attacks

High-Profile Security Breaches by USB

In June of 2021, the city of Amagasaki, Japan, hired a contractor to analyze COVID-19 tax relief efforts for Amagasaki citizens. The contractor lost two USB memory sticks containing the sensitive, personal data of nearly half a million people. Information on the drives included names, addresses, birth dates, bank account numbers, and details regarding residence tax payments. While the police reported that the two USB sticks were not accessed, an ongoing investigation remains, and this incident serves as a reminder that USB threats are still very real. 

USB attacks might be limited to personal devices, but the implications can be more significant. A particularly well-known example of a USB drop attack is Stuxnet, a computer worm that infected software at industrial sites in Iran, including a uranium-enrichment plant. The virus targeted industrial control systems made by Siemens, compromised the system’s logic controllers, spied on the targeted systems, and provided false feedback to make detection even more difficult. It all began with a USB stick infection.

Don’t be a victim. When it comes to your organization’s security, active prevention is the best strategy. Set up a call with us, and we will help identify an approach that suits your unique needs.

U.S. Government
The United States government has also fallen victim to flash drive attacks. In 2008 an infected flash drive was plugged into a US military laptop in the Middle East and established “a digital beachhead” for a foreign intelligence agency. The drive’s malicious code spreads undetected on classified and unclassified systems, enabling data to be transferred to servers under foreign control.

USB Attack Tools and Testing

In one test of how well a USB scam can work, Trustwave planted five USB drives decorated with the targeted company’s logos near the organization’s building in one test of how well a USB scam can work. Two of the five “lost & found” drives were opened. One of the openings even enabled the researchers to glimpse software employed to control the organization’s physical security.

A company in Hong Kong has even developed a USB that could kill a computer. Collecting power from the USB line, it absorbs power until it reaches about 240 volts and then discharges that energy back into the data lines in devastating power surges. Oh, and the USB Kill drive is available for just $56 — if you think this is only something someone could accomplish if they’re tech-savvy and have deep pockets.

USB Baiting has even been seen in popular culture, with what’s known as a “Rubber Ducky” tool appearing in the show Mr. Robot in 2016. The USB key only needed a few seconds to get to work using HID spoofing to gather FBI passwords.

And if you’re a hacker, why not? Two of the best tools a malicious party can leverage are the human desire to help others and our blind trust. It’s easy to imagine what you might do if you came across a USB key left by the copy machine or the water cooler. Someone in your office may have misplaced it, and the simple solution would be to plug it into your computer to see if you can find identifying information.

Imagine, then, a file is on there labeled “Joe_Resume.pdf.” Is that a safe and useful file to open to help you return the device to its rightful owner? Unfortunately, that same file could be set up to deliver malicious code to your machine.

Most average users need to be aware of how to determine the ownership of a USB stick safely, so educate workers about the risk of found USB drives and urge them to hand in any found devices to IT.

USB Security Awareness

Think about the effort expended on telling children not to take candy from strangers. It’s the same idea as encouraging employees to refrain from putting found USB devices into their computers. One 2016 study dropped 297 USBs on a university campus. Of the 98% of found devices that were picked up, 45% were plugged into computers.

The thumb-sized USB drive has become increasingly commonplace, and that’s part of the problem. Today you might get one at a convention with a company’s logo and promises of promotional materials to download later. These “memory sticks” are tiny, cheap, and can store as much as 20 gigabytes of data.

"The more ubiquitous they've become, the greater the chances they'll get lost or stolen or be used to spread malicious programs." — Norton

These small and portable drives are also easy to lose. One 2008 study found an estimated 9,000 memory sticks were found in people’s pant pockets at dry cleaners. Moreover, suppose the information on these left-behind drives is a security risk.

Tips for USB Drop Attack Prevention

  • Ensure that employees don’t store sensitive information on USB devices.
  • If critical data must be stored on a USB device, ensure it’s protected with encryption or another safety feature, such as fingerprint authentication.
  • Encourage employees to separate flash drives used at home from those used in the office.
  • Institute policies for employees and educate them accordingly about what can and cannot be plugged into the company network.
  • If employees are lax about securing their computer USB ports, consider physically blocking them on sensitive computers to avoid an attack.
  • Further, it’s possible to restrict the type of USB authorized on a computer — using Windows or a USB kill code — to thwart unauthorized access.
  • And, of course, it’s always wise to keep your security policies and patches up-to-date.

Educating your workforce while understanding the limits of your physical and network security protocols is essential. Ready to find out what those are? Let RedTeam Security test your facility’s security today.

Click To Schedule Your Free Consultation

Brief History Of USB drives

The USB 1.0 standard was introduced in 1995 to develop a standardized device-connection protocol. Before USB, computers used many ports and drivers to connect devices and transfer data.

Trek Technology produced the first commercially available USB drive in 2000. The drive could hold up to 8 megabytes of data.

By 2002, dozens of companies were marketing these flash drives, and patent clashes abounded.

In 2004, USB 2.0 standard devices were made widely available, with the drive able to transfer data at about 30 MB/second as opposed to the 1 MB/second of the USB 1.0 devices.

Some USB 3.0 devices were made available in 2010, offering a data transfer rate of 4.8 gigabits per second. USB flash drives — thumb drives, pen drives, jump drives, or memory sticks — can typically endure nearly a million data rewrites.

Kingston Technology releases the 2 TB flash drive, the largest for storage capacity. 

SanDisk announces the 1 TB USB-C flash drive, the smallest of its kind. 

Get a FREE security evaluation today and reduce your organization's security risk.

Read More Articles


10-Point Offensive Security Checklist

Get A Bird’s Eye View Of Your Organization’s Security Readiness
10-Point Offensive Security Checklist

Featured On

National TV news and media outlets often consult with us for our expertise as a boutique, high-touch ethical hacking firm highly trained in a narrow field of cybersecurity. Please click on any logo below to view the featured story.