Say you’re walking down the street and find a USB drive on a bench. Would you pick it up and use it, not knowing what might be on there?
An Illinois business created that exact scenario in popular areas of Chicago, San Francisco, Washington, D.C., and Cleveland to find out how savvy people are when it comes to cyber security.
Dallas Harty, who works in downtown Chicago, unknowingly became part of the social experiment.
“I was coming back from lunch and I spotted this USB drive on the bench over here,” Harty said. “I watched for a little while and then I looked around to see if there was anybody here that was going to pick it up. I figured I needed a USB drive, so I picked it up.”
He wasn’t the only one.
“I decided this belongs to somebody,” said computer engineer Bill Stoneking. “Do I take it inside and drop it off at the front desk where it may never be seen or heard from again or do I look into it?”
Both men plugged the USB sticks into their personal laptop.
“I couldn’t resist,” Harty said. “I had to know.”
“I was like, all right, let me see what’s on here,” Stoneking said.
They both found a single file on the drive. Harty opened the file. Stoneking only viewed it in the preview panel. A letter informed them they were part of an experiment and that they should either click a link or e-mail the person running the experiment.
“Well, I’m sorry, I’m not going to click on a link,” said Stoneking.
But both men did shoot off an e-mail.
The Illinois non-profit trade association CompTIA is the brainchild behind the experiment. The company strategically placed 200 USB drives in four cities, seeking to find out if anyone would pick up a random flash drive and put it in a computer --- not knowing what might be on the drive.
“Plugging in a USB stick is one of the worst things someone can do,” said Tod Thibodeaux, president and CEO of Comp TIA. “Plugging that into your computer, you’re introducing all kinds of opportunities for malware, spyware, ransom ware, all kinds of things could be installed on your computer.”
Surprisingly, nearly 20 percent of the people who found the flash drives plugged them into a computer and clicked on the text file, the study found. Most of those people were men.
At the San Francisco International Airport, a number of people who found the USB sticks worked in the IT industry and yet still plugged the drive into their computer.
But in Washington, D.C., only a few of the USB drives were picked up and plugged in, possibly because of the number of government employees.
As a computer engineer, Stoneking’s job is to protect companies against cyber-attacks. So when he found one of the thumb drives in downtown Chicago, he knew exactly what could happen if the drive was infected.
“I’ve seen people trash their machines, their computers. I’ve seen networks get infected because someone receives an e-mail and ill-advised they click a link inside of there and it takes them to a website that installs malware on their machine.”
Stoneking first scanned the drive and then put it in a personal computer not connected to the Internet. But most people don’t know to take these precautions.
“We were pretty astonished by the numbers we found,” Thibodeaux said.
And while none of these drives posed a threat, the social experiment did prove one thing. Even the most savvy, educated people made the risky decision to use a stranger’s USB drive and ignore the most basic cyber security rule.
“So curiosity killed the cat, per se, and it’s killed a lot of hard drives too,” said Stoneking.