"Does dropping (malicious) USB drives in parking lots and other places really work?"
297 samples were dropped, 290 got picked up. 135 people opened documents (HTML pinger), 54 flash drives got returned.
20% were opened within the first hour. In less than 5 hours half of the devices were used by someone.
Study & talk (2016) by Elie Bursztein: https://www.youtube.com/watch?v=XJCQBqTmGUU
@fribbledom I may try to get her financial help.
@fribbledom Wow... is this what 'scientific' studies have come to? 😂
In a truly controlled study, these USB drives would have actually had the word "malicious" written on them.
Nobody claimed it's a scientific study: it's a blackhat talk.
You could certainly do a control test with drives marked as "malicious", but I really think that's beside the point of the talk.
If you watch it, Elie goes very much into detail how he marked the drives and how it affected the outcome.
@fribbledom those numbers are bonkers.
Now, I've picked up a few flash drives that I found, in parking lots. But I've immediately wiped them clean with dd on an offline machine. I wouldn't even mount the partition, much less click a file.
Frankly, I'd either try to return the device or just leave it where it is.
Flash drives aren't worth that much after all, and besides "BadUSB" they open a whole new vector of malicious attacks: to really trust it, you'd have to crack its shell open and take a closer look at the underlying circuitry.
@fribbledom yeah I'm more curious than I am smart. Or at least, you're smarter than me.
@fribbledom wow, when a tv show (Mr. Robot) uses that tactic and it fails, Im impressed that they used an attack vector that usually works but have it fail. If I remember correctly though they plugged it in and antivirus on network blocked it.
@bkool Spoilers! 😂
lol its a real-life Cryptkey from the big bang theory 😂
I found a 32GB USB drive in my front lawn once
I figured some kid dropped it when going to school
it was new, still in package
I remembered I did get a little paranoid so I opened it with an old cell phone and I did wipe it even thou it was new
basic take away, why havent they added built in authentication for USB devices yet? I am pretty sure this attack will become easier over time.
@fribbledom You're making me want to try that.
@fribbledom I always take something like that to a public location or connect it to an old computer without network connectivity before I do anything with it. Like, I'm gonna keep the flash drive if there's no identifying information, but like, check it first, jesus
@fribbledom it's actually still a very valid way of spreading your virus if you live in a populated area.
one point i'd note, is that they did this on a school campus. it doesn't necessarily mean that half the people were taking the personal risk, if they were looking into it on, say, a library computer, as the top comment of that reddit post screenshot they showed did.
also, given that most reported opening it to find the owner, and few opened it with contact info on a tag, i wonder if you could boost success rate with a 'contact info inside' tag, or if that'd be suspect
@fribbledom Best investment I ever made when I was a pen tester was $50us for an iPod on Craigslist. Rig up with malware, leave on sidewalk.
@fribbledom The average person doesn't have any real education about even the most common of vectors, so it's no surprise that you get results like this.
There is a lot more 'common knowledge' surrounding personal safety & physical security because there's some minimum standard of education that parents and schools pass on to kids.
Follow friends and discover new ones. Publish anything you want: links, pictures, text, video. This server is run by the main developers of the Mastodon project. Everyone is welcome as long as you follow our code of conduct!