At every security conference you will inevitably hear hackers boasting that they can break into any company by dropping a malicious USB drive in the company’s parking lot. This anecdote has even entered mainstream culture and was prominently featured in the Mister Robot TV series. However despite its popularity, there has been no rigorous study of whether the attack works or is merely an urban legend.
To answer this burning question and assess the actual threat posed by malicious USB drives, we dropped nearly 300 USB sticks on the University of Illinois Urbana-Champaign campus and measured who plugged in the drives. And Oh boy how effective that was! Of the drives we dropped, 98% were picked up and for 45% of the drives, someone not only plugged in the drive but also clicked on files.
We then look at how a real attacker can make USB drop attack more effective by developing realistic HID spoofing USB keys.