“We investigate the anecdotal belief that end users will pick up and plug in USB flash drives they find by completing a controlled experiment in which we drop 297 flash drives on a large university campus. We find that the attack is effective with an estimated success rate of 45–98% and expeditious with the first drive connected in less than six minutes.”
The experiment, which was carried out at the University of Illinois Urbana-Champaign, also investigated the possible motives for such behaviour in memory-stick finders:
“Users pick up the drives with altruistic intentions based on the types of the drives that were connected, the files that were opened, and the number of unconnected drives that were returned to us. However, we simultaneously note that nearly half of users are overtaken by curiosity, first opening vacation photos instead of the prominently placed résumé (which would have reasonably included contact information).”
see: ‘Users Really Do Plug in USB Drives They Find’ by Matthew Tischer (University of Illinois, Urbana-Champaign), Zakir Durumeric (University of Michigan), Sam Foster, Sunny Duan, and Alec Mori (University of Illinois, Urbana-Champaign), Elie Bursztein (Google), and Michael Bailey (University of Illinois, Urbana-Champaign). The paper will be presented next week at the 37th IEEE Symposium on Security and Privacy, Session #4: Call me on usable security, May 23rd 2016, San Jose, California.
Note: The paper focuses on the likelihood that curious finders’ machines could become infected with viruses – but Improbable also has a question about other possibilities:
Question [optional] “Given the high percentage of people who opened the files, would ‘losing’ a bunch of USB drives be a ‘good’ way for a whistleblower to anonymously* divulge data?”