Why You Should Never Plug in an Unknown USB Device
Let’s set the scene: you’re in the world, doing what you’re doing when you stumble upon an abandoned USB drive. What could be inside? Maybe it’s just someone’s spreadsheets from work – maybe along with some information that identifies the owner, allowing you to return it. But also, maybe state secrets? The only way to find out is to plug it into a computer and explore. But here’s the thing: don’t do it.
Of course, the USB device you found could be a completely innocent one, accidentally dropped by someone walking the same path as you. However, it can also be a trap designed to prey on your curiosity, and when you choose to connect it to your personal computer, all you find on it is malware.
Malware-infected USB devices are a real problem
While this may sound like something out of a movie, people do infect USB devices with malware and abandon them so that unsuspecting victims can find them. Targets range from large to small, with the most notorious hack likely being against Iran in 2010: one such attempt infected the country’s nuclear facilities with Stunext malware , despite the entire system being cut off from any internet communications.
In lower stakes cases, this can seem like a rather roundabout and random attack. After all, phishing emails and texts can be sent straight to the tags, while the USB device must first be raised and then plugged in for it to work.
As it turns out, the likelihood of someone plugging in a strange USB is pretty high. One study ran about 300 USB devices across a “large college campus” and found that 98% of the devices were picked up by students and staff, and nearly half chose to plug the USB device into their computer – with the first connection. six minutes after the start of the study. All of which suggests that in this scenario, the hacker investment is likely to pay off.
This is not a new problem. In 2008, US-CERT (Computer Emergency Response Teams) issued a warning about malware-infected USB devices . Prior to this, floppy disks were used in a similar way. And while we may have moved away from physical storage in favor of the cloud, USB devices are still common enough to pose this threat.
It’s hard to tell how widespread this threat really is, but with cyber attacks on the rise, it’s always better to be safe than sorry. Avoiding connecting someone else’s USB device to your personal computer is simply cybersecurity best practice, just like not using the same password twice helps protect your accounts.
However, if you can’t fight your curiosity, you’re not completely out of options (although you may be entering unethical territory). In a Reddit thread on the subject , one user describes how they take each USB device they find to Best Buy for testing on the store’s computers. I don’t vouch for this method as I can’t put up with the risk to the store’s property, but the general idea of testing a USB without risking your personal device and information or anyone else’s is reasonable. Which is good, because let’s be realistic: you’re definitely going to plug this USB device into the .