Privacy & security

The “found a USB stick” attack still works.

People assume USB malware died with autorun in the 2000s. A controlled experiment says otherwise: the attack just moved from the operating system to the one component that never got patched — human curiosity.

Security researchers scattered 297 USB drives around a university — parking lots, hallways, cafeterias — and waited. The drives quietly reported back when their files were opened. The results are the kind that make IT departments wince.

✕ The myth

"USB malware is a solved, 2000s problem."

Windows disabled autorun years ago, so a stray drive can't do anything now.

✓ The reality

The attack moved to the human.

98% of the dropped drives were picked up, and 45% had files opened by the finder.1 Autorun didn't need to fire — curiosity did the clicking.

That's the uncomfortable finding: disabling autorun removed the automatic infection, but it never touched the social one. A helpfully-labelled file ("Q3 layoffs.xlsx", "Photos") is all it takes for a large fraction of people to double-click. And newer BadUSB-style attacks go further, with a drive's firmware impersonating a keyboard to type commands — no file to open at all.

The experiment nobody wants to fail
0%

Of 297 USB drives dropped on a campus, this share had files opened by whoever found them (98% were picked up). The vulnerability wasn't the software — it was us.1

Source: Tischer et al., IEEE Symposium on Security & Privacy (2016)

Why this matters at audits and training days

These are exactly the settings where drives change hands casually: "here are the training slides," "put the audit evidence on this stick." A visiting auditor's drive, a trainer's shared USB, a "helpful" freebie from a conference — each is an unvetted device meeting a trusted machine. The campus study shows the base rate of people trusting found media; a professional setting with a plausible story only raises it.

0%
Of dropped drives were picked up and taken — the pickup step is nearly guaranteed.1
0%
Had files opened — the human "click" the malware needs.1
BadUSB
Firmware attacks let a drive act as a keyboard — no file to open at all.
⚖ The honest bit — the threat is smaller than it was

Modern defences genuinely helped. They didn't finish the job.

Credit where due: disabling autorun by default, better endpoint protection, and device-control policies have meaningfully reduced classic USB worms. If your organisation blocks unknown USB devices at the endpoint, you're in good shape. The residual risk is specifically the human path — curiosity plus a convincing label — and firmware tricks that antivirus can't always catch. The durable fix isn't a better scanner; it's not needing to plug in strangers' drives in the first place. You can't be social-engineered into opening a drive you never had a reason to accept.

Where SyncBy!App fits

A lot of USB hand-offs exist purely to move a presentation from one machine to a screen. SyncBy removes that specific errand: slides go from your phone to the display wirelessly, so there's no drive to hand over, borrow, or "just quickly plug in." It won't fix USB culture across your whole org — but for the presentation use case, it deletes the risky step entirely.

TL;DR
  • In a controlled study, 98% of dropped USB drives were picked up and 45% had files opened.1
  • Autorun is disabled, so the attack shifted to social engineering — and it still works.
  • BadUSB firmware attacks bypass "just don't open the file" entirely.
  • Honest caveat: modern defences reduced the classic threat; the fix for the rest is not needing unknown drives at all.

Sources

  1. Study Tischer, M., et al. (2016). Users Really Do Plug in USB Drives They Find. IEEE Symposium on Security & Privacy. 297 drives dropped; 98% removed, 45% opened files. See also the plain-language summary.
  2. Vendor doc Microsoft — AutoRun/AutoPlay has been disabled by default for removable drives since Windows 7 era, which is why the attack shifted to social engineering (background context on the change).
← PrevWhy sharing results on a shared USB stick risks patient data Next →What 'the session self-destructs' means for confidential docs