Users Really Do Plug in USB Drives They Find

Matthew Tischer, Zakir Durumeric, Sam Foster, Sunny Duan, Alec Mori, Elie Bursztein, Michael Donald Bailey

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

We investigate the anecdotal belief that end users will pick up and plug in USB flash drives they find by completing a controlled experiment in which we drop 297 flash drives on a large university campus. We find that the attack is effective with an estimated success rate of 45 - 98% and expeditious with the first drive connected in less than six minutes. We analyze the types of drives users connected and survey those users to understand their motivation and security profile. We find that a drive's appearance does not increase attack success. Instead, users connect the drive with the altruistic intention of finding the owner. These individuals are not technically incompetent, but are rather typical community members who appear to take more recreational risks then their peers. We conclude with lessons learned and discussion on how social engineering attacks - while less technical - continue to be an effective attack vector that our community has yet to successfully address.

Original languageEnglish (US)
Title of host publicationProceedings - 2016 IEEE Symposium on Security and Privacy, SP 2016
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages306-319
Number of pages14
ISBN (Electronic)9781509008247
DOIs
StatePublished - Aug 16 2016
Event2016 IEEE Symposium on Security and Privacy, SP 2016 - San Jose, United States
Duration: May 23 2016May 25 2016

Publication series

NameProceedings - 2016 IEEE Symposium on Security and Privacy, SP 2016

Other

Other2016 IEEE Symposium on Security and Privacy, SP 2016
CountryUnited States
CitySan Jose
Period5/23/165/25/16

Fingerprint

Experiments

Keywords

  • USB
  • social engineering

ASJC Scopus subject areas

  • Safety, Risk, Reliability and Quality
  • Computer Networks and Communications
  • Software

Cite this

Tischer, M., Durumeric, Z., Foster, S., Duan, S., Mori, A., Bursztein, E., & Bailey, M. D. (2016). Users Really Do Plug in USB Drives They Find. In Proceedings - 2016 IEEE Symposium on Security and Privacy, SP 2016 (pp. 306-319). [7546509] (Proceedings - 2016 IEEE Symposium on Security and Privacy, SP 2016). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/SP.2016.26

Users Really Do Plug in USB Drives They Find. / Tischer, Matthew; Durumeric, Zakir; Foster, Sam; Duan, Sunny; Mori, Alec; Bursztein, Elie; Bailey, Michael Donald.

Proceedings - 2016 IEEE Symposium on Security and Privacy, SP 2016. Institute of Electrical and Electronics Engineers Inc., 2016. p. 306-319 7546509 (Proceedings - 2016 IEEE Symposium on Security and Privacy, SP 2016).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Tischer, M, Durumeric, Z, Foster, S, Duan, S, Mori, A, Bursztein, E & Bailey, MD 2016, Users Really Do Plug in USB Drives They Find. in Proceedings - 2016 IEEE Symposium on Security and Privacy, SP 2016., 7546509, Proceedings - 2016 IEEE Symposium on Security and Privacy, SP 2016, Institute of Electrical and Electronics Engineers Inc., pp. 306-319, 2016 IEEE Symposium on Security and Privacy, SP 2016, San Jose, United States, 5/23/16. https://doi.org/10.1109/SP.2016.26
Tischer M, Durumeric Z, Foster S, Duan S, Mori A, Bursztein E et al. Users Really Do Plug in USB Drives They Find. In Proceedings - 2016 IEEE Symposium on Security and Privacy, SP 2016. Institute of Electrical and Electronics Engineers Inc. 2016. p. 306-319. 7546509. (Proceedings - 2016 IEEE Symposium on Security and Privacy, SP 2016). https://doi.org/10.1109/SP.2016.26
Tischer, Matthew ; Durumeric, Zakir ; Foster, Sam ; Duan, Sunny ; Mori, Alec ; Bursztein, Elie ; Bailey, Michael Donald. / Users Really Do Plug in USB Drives They Find. Proceedings - 2016 IEEE Symposium on Security and Privacy, SP 2016. Institute of Electrical and Electronics Engineers Inc., 2016. pp. 306-319 (Proceedings - 2016 IEEE Symposium on Security and Privacy, SP 2016).
@inproceedings{67e31f0081e84e67afe201d0a95418b0,
title = "Users Really Do Plug in USB Drives They Find",
abstract = "We investigate the anecdotal belief that end users will pick up and plug in USB flash drives they find by completing a controlled experiment in which we drop 297 flash drives on a large university campus. We find that the attack is effective with an estimated success rate of 45 - 98{\%} and expeditious with the first drive connected in less than six minutes. We analyze the types of drives users connected and survey those users to understand their motivation and security profile. We find that a drive's appearance does not increase attack success. Instead, users connect the drive with the altruistic intention of finding the owner. These individuals are not technically incompetent, but are rather typical community members who appear to take more recreational risks then their peers. We conclude with lessons learned and discussion on how social engineering attacks - while less technical - continue to be an effective attack vector that our community has yet to successfully address.",
keywords = "USB, social engineering",
author = "Matthew Tischer and Zakir Durumeric and Sam Foster and Sunny Duan and Alec Mori and Elie Bursztein and Bailey, {Michael Donald}",
year = "2016",
month = "8",
day = "16",
doi = "10.1109/SP.2016.26",
language = "English (US)",
series = "Proceedings - 2016 IEEE Symposium on Security and Privacy, SP 2016",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
pages = "306--319",
booktitle = "Proceedings - 2016 IEEE Symposium on Security and Privacy, SP 2016",
address = "United States",

}

TY - GEN

T1 - Users Really Do Plug in USB Drives They Find

AU - Tischer, Matthew

AU - Durumeric, Zakir

AU - Foster, Sam

AU - Duan, Sunny

AU - Mori, Alec

AU - Bursztein, Elie

AU - Bailey, Michael Donald

PY - 2016/8/16

Y1 - 2016/8/16

N2 - We investigate the anecdotal belief that end users will pick up and plug in USB flash drives they find by completing a controlled experiment in which we drop 297 flash drives on a large university campus. We find that the attack is effective with an estimated success rate of 45 - 98% and expeditious with the first drive connected in less than six minutes. We analyze the types of drives users connected and survey those users to understand their motivation and security profile. We find that a drive's appearance does not increase attack success. Instead, users connect the drive with the altruistic intention of finding the owner. These individuals are not technically incompetent, but are rather typical community members who appear to take more recreational risks then their peers. We conclude with lessons learned and discussion on how social engineering attacks - while less technical - continue to be an effective attack vector that our community has yet to successfully address.

AB - We investigate the anecdotal belief that end users will pick up and plug in USB flash drives they find by completing a controlled experiment in which we drop 297 flash drives on a large university campus. We find that the attack is effective with an estimated success rate of 45 - 98% and expeditious with the first drive connected in less than six minutes. We analyze the types of drives users connected and survey those users to understand their motivation and security profile. We find that a drive's appearance does not increase attack success. Instead, users connect the drive with the altruistic intention of finding the owner. These individuals are not technically incompetent, but are rather typical community members who appear to take more recreational risks then their peers. We conclude with lessons learned and discussion on how social engineering attacks - while less technical - continue to be an effective attack vector that our community has yet to successfully address.

KW - USB

KW - social engineering

UR - http://www.scopus.com/inward/record.url?scp=84987619359&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84987619359&partnerID=8YFLogxK

U2 - 10.1109/SP.2016.26

DO - 10.1109/SP.2016.26

M3 - Conference contribution

T3 - Proceedings - 2016 IEEE Symposium on Security and Privacy, SP 2016

SP - 306

EP - 319

BT - Proceedings - 2016 IEEE Symposium on Security and Privacy, SP 2016

PB - Institute of Electrical and Electronics Engineers Inc.

ER -