Follow

"Does dropping (malicious) USB drives in parking lots and other places really work?"

297 samples were dropped, 290 got picked up. 135 people opened documents (HTML pinger), 54 flash drives got returned.

20% were opened within the first hour. In less than 5 hours half of the devices were used by someone.

Study & talk (2016) by Elie Bursztein: youtube.com/watch?v=XJCQBqTmGU

@fribbledom Wow... is this what 'scientific' studies have come to? 😂

In a truly controlled study, these USB drives would have actually had the word "malicious" written on them.

muesli, please...

@RaccoonWillie

Nobody claimed it's a scientific study: it's a blackhat talk.

You could certainly do a control test with drives marked as "malicious", but I really think that's beside the point of the talk.

If you watch it, Elie goes very much into detail how he marked the drives and how it affected the outcome.

@fribbledom those numbers are bonkers.

Now, I've picked up a few flash drives that I found, in parking lots. But I've immediately wiped them clean with dd on an offline machine. I wouldn't even mount the partition, much less click a file.

@gentoorebel

Frankly, I'd either try to return the device or just leave it where it is.

Flash drives aren't worth that much after all, and besides "BadUSB" they open a whole new vector of malicious attacks: to really trust it, you'd have to crack its shell open and take a closer look at the underlying circuitry.

@fribbledom yeah I'm more curious than I am smart. Or at least, you're smarter than me.

@fribbledom wow, when a tv show (Mr. Robot) uses that tactic and it fails, Im impressed that they used an attack vector that usually works but have it fail. If I remember correctly though they plugged it in and antivirus on network blocked it.

@fribbledom
lol its a real-life Cryptkey from the big bang theory 😂

I found a 32GB USB drive in my front lawn once
I figured some kid dropped it when going to school
it was new, still in package
I remembered I did get a little paranoid so I opened it with an old cell phone and I did wipe it even thou it was new

@fribbledom
basic take away, why havent they added built in authentication for USB devices yet? I am pretty sure this attack will become easier over time.

good video

@fribbledom I always take something like that to a public location or connect it to an old computer without network connectivity before I do anything with it. Like, I'm gonna keep the flash drive if there's no identifying information, but like, check it first, jesus

@fribbledom it's actually still a very valid way of spreading your virus if you live in a populated area.

@fribbledom@mastodon.socialmy manager has found a shit ton of USB's and apparently he inserts them into the work computer all the time lmfao.

@fribbledom
one point i'd note, is that they did this on a school campus. it doesn't necessarily mean that half the people were taking the personal risk, if they were looking into it on, say, a library computer, as the top comment of that reddit post screenshot they showed did.
also, given that most reported opening it to find the owner, and few opened it with contact info on a tag, i wonder if you could boost success rate with a 'contact info inside' tag, or if that'd be suspect

@fribbledom Best investment I ever made when I was a pen tester was $50us for an iPod on Craigslist. Rig up with malware, leave on sidewalk.

@fribbledom brb putting a virus on USB drives that force installs ublock origin and dropping them around the city

@fribbledom The average person doesn't have any real education about even the most common of vectors, so it's no surprise that you get results like this.

There is a lot more 'common knowledge' surrounding personal safety & physical security because there's some minimum standard of education that parents and schools pass on to kids.

Sign in to participate in the conversation
Mastodon

Follow friends and discover new ones. Publish anything you want: links, pictures, text, video. This server is run by the main developers of the Mastodon project. Everyone is welcome as long as you follow our code of conduct!