@inproceedings{67e31f0081e84e67afe201d0a95418b0,
title = "Users Really Do Plug in USB Drives They Find",
abstract = "We investigate the anecdotal belief that end users will pick up and plug in USB flash drives they find by completing a controlled experiment in which we drop 297 flash drives on a large university campus. We find that the attack is effective with an estimated success rate of 45 - 98% and expeditious with the first drive connected in less than six minutes. We analyze the types of drives users connected and survey those users to understand their motivation and security profile. We find that a drive's appearance does not increase attack success. Instead, users connect the drive with the altruistic intention of finding the owner. These individuals are not technically incompetent, but are rather typical community members who appear to take more recreational risks then their peers. We conclude with lessons learned and discussion on how social engineering attacks - while less technical - continue to be an effective attack vector that our community has yet to successfully address.",
keywords = "USB, social engineering",
author = "Matthew Tischer and Zakir Durumeric and Sam Foster and Sunny Duan and Alec Mori and Elie Bursztein and Michael Bailey",
note = "Publisher Copyright: {\textcopyright} 2016 IEEE.; 2016 IEEE Symposium on Security and Privacy, SP 2016 ; Conference date: 23-05-2016 Through 25-05-2016",
year = "2016",
month = aug,
day = "16",
doi = "10.1109/SP.2016.26",
language = "English (US)",
series = "Proceedings - 2016 IEEE Symposium on Security and Privacy, SP 2016",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
pages = "306--319",
booktitle = "Proceedings - 2016 IEEE Symposium on Security and Privacy, SP 2016",
address = "United States",
}