The study is five years old, but it's still good enough to be in the news today. In 2016, researchers from the University of Illinois, Michigan, and Google spread 297 flash drives across their university's campus. According to Numerama, "98 percent of the flash drives abandoned on campus were picked up by passersby, and at least 45 percent of them were opened to inspect the contents."
Only 13% of the individuals who agreed to answer the researchers' questions said they "took special precautions before opening the key. 68% admitted that they opened it without being suspicious of what might be on it."
While the Illinois researchers' experiment was safe for users, inserting "found" USB drives can have serious consequences. Note that USB flash drives are not the only hardware at risk: human interface devices or "HID" such as keyboards, mice, smartphone chargers, or any other connected object can be tampered with by malicious people. And the consequences are severe: data theft or destruction, sabotage, ransom demands, etc.
USB drives are used by 90% of employees in companies, making them a prime target for cybercriminals.
The latter use so-called "malicious" USB keys, i.e. they contain a predefined attack plan that allows them to steal a user's data, access his keyboard, his screen (which allows him to see everything he does, for example), or encrypt his data in exchange for a ransom demand.
The most famous rogue USB drives are the "Rubber Ducky" or "lost" drives.
The "lost" USB flash drive, also known as the "Rubber Ducky" flash drive, works as soon as it is inserted into the computer. If it appears to be undetected by the device or just out of order, it is just a false impression.
The infected USB stick has indeed done its job and it is already too late. The hacker has already been able to take control of the computer remotely and retrieve sensitive information such as passwords or bank details for example.
Fortunately, solutions exist to protect against this type of attack.
Here are some simple things to remember:
Training your employees and making them aware of the possible risks can also pay off. USB key attacks are indeed very common and affect all sectors.
Source: Les Echos, The essentials of cybersecurity in companies