Privacy & security
The “found a USB stick” attack still works.
People assume USB malware died with autorun in the 2000s. A controlled experiment says otherwise: the attack just moved from the operating system to the one component that never got patched — human curiosity.
6 min read
Mar 2026
Every claim sourced · 2 references
Security researchers scattered 297 USB drives around a university — parking lots, hallways, cafeterias — and waited. The drives quietly reported back when their files were opened. The results are the kind that make IT departments wince.
✕ The myth
"USB malware is a solved, 2000s problem."
Windows disabled autorun years ago, so a stray drive can't do anything now.
✓ The reality
The attack moved to the human.
98% of the dropped drives were picked up, and 45% had files opened by the finder.1 Autorun didn't need to fire — curiosity did the clicking.
That's the uncomfortable finding: disabling autorun removed the automatic infection, but it never touched the social one. A helpfully-labelled file ("Q3 layoffs.xlsx", "Photos") is all it takes for a large fraction of people to double-click. And newer BadUSB-style attacks go further, with a drive's firmware impersonating a keyboard to type commands — no file to open at all.
Why this matters at audits and training days
These are exactly the settings where drives change hands casually: "here are the training slides," "put the audit evidence on this stick." A visiting auditor's drive, a trainer's shared USB, a "helpful" freebie from a conference — each is an unvetted device meeting a trusted machine. The campus study shows the base rate of people trusting found media; a professional setting with a plausible story only raises it.
0%
Of dropped drives were picked up and taken — the pickup step is nearly guaranteed.
1
0%
Had files opened — the human "click" the malware needs.
1
BadUSB
Firmware attacks let a drive act as a keyboard — no file to open at all.
⚖ The honest bit — the threat is smaller than it was
Modern defences genuinely helped. They didn't finish the job.
Credit where due: disabling autorun by default, better endpoint protection, and device-control policies have meaningfully reduced classic USB worms. If your organisation blocks unknown USB devices at the endpoint, you're in good shape. The residual risk is specifically the human path — curiosity plus a convincing label — and firmware tricks that antivirus can't always catch. The durable fix isn't a better scanner; it's not needing to plug in strangers' drives in the first place. You can't be social-engineered into opening a drive you never had a reason to accept.
Where SyncBy!App fits
A lot of USB hand-offs exist purely to move a presentation from one machine to a screen. SyncBy removes that specific errand: slides go from your phone to the display wirelessly, so there's no drive to hand over, borrow, or "just quickly plug in." It won't fix USB culture across your whole org — but for the presentation use case, it deletes the risky step entirely.
TL;DR
- In a controlled study, 98% of dropped USB drives were picked up and 45% had files opened.1
- Autorun is disabled, so the attack shifted to social engineering — and it still works.
- BadUSB firmware attacks bypass "just don't open the file" entirely.
- Honest caveat: modern defences reduced the classic threat; the fix for the rest is not needing unknown drives at all.