Skip to content ↓ | Skip to navigation ↓

I found a USB stick in the street the other day. This is not the first thumb drive I have found, and apparently this is not an unusual event, as some reports indicate that dry cleaners find thousands of them (along with some more unsavory items) each year.

These reports are consistent with news stories about unusual items left in the back of taxis, including some 190,000 phones that are left in the back of London taxis every year. In total, Consumer Reports indicates that over one million phones were lost in 2013.

It seems that we are not very good at holding onto our devices. While it is fairly easy to return a lost phone to its owner, the same is not true with a USB stick.

The owner of a lost phone will usually call the phone to see who found it. By contrast, the only way to possibly locate the owner of a found thumb drive is to plug it into a computer and see if there are any clues in its contents, as many folks who carry USB sticks do not encrypt the contents, meaning that the information on those devices is readily accessible.

Unfortunately, this is a very dangerous method, as USB sticks may contain malware.

In the now famous “Stuxnet” case, infected USB sticks were purposely dropped in a parking lot with the hopes that an employee of the nearby factory would plug it into a computer to damage the machinery – this ploy was very successful.

The ability to write malware code onto USB sticks is not a new phenomenon, and the “USB drop” technique is used by some security assessment companies to test staff awareness. There is even a smartly priced commercially available version of a USB onto which one can load customized code.

What should you do if you find a USB stick and you want to locate the owner?

Unfortunately, the only safe way to view the contents is to use a machine that will not allow the writing of any files to a hard drive. A computer without a hard drive could be booted with a bootable DVD of a Linux distribution. This would allow a person to mount the USB stick to try to find clues to locate the owner.

As you can see, this “safe technique” is far beyond the technical understanding of the average person, and it is best left to a professional.

The best thing to do with a found USB stick is to turn it over to the nearest lost and found.

Our general tendency is towards helping others; however, in the case of a found USB stick, please resist the urge to plug it into a computer to view the contents.

Title image courtesy of ShutterStock

Endpoint Detection & Response For Dummies
  • Baylink

    Worth noting that Autorun is *switchable* at least in Win >= 7, and probably in OS/X as well, and everyone should turn it the hell off, right now.

    • Ox000000

      autorun isn’t the thing: you can’t turn off usb keyboard drivers

    • Nick

      IIRC, Stuxnet leveraged a vulnerability that meant its code was “automatically run” simply by plugging in the device, regardless of the “autorun” being enabled or not on the victim machine.

      And, as “Ox000000” says, USB support for keyboards (actually, more generally HID – Human Interface Devices) cannot be (easily) disabled. The attack scenario here is that you plug in what looks like a USB thumb drive but, unbeknownst to you, it has been gutted and the new electronics inside it identify it to the system as a HID and it starts typing Windows shortcut keys and commands to start a process and do something you’d not want it doing. Of course, it can type very fast…

      Oh, and worse? Maybe that thumb drive initially does claim to be a storage device and you start spelunking around its contents, and then the device changes its ID and claims to be a HID. Few OSes have any kind of “protection” for this kind of attack and happily start accepting keyboard input from the device.

  • Now suppose I boot my PC from a CD–will that stop the malware? If not, I can disconnect the hard drive easily enough.

    • hackerb9

      It *probably* would, but is “probably” good enough for you? If you need absolute certainty, unplug the hard drive.

      Personally, at this time in my life I don’t need 100% certainty. I’ve assessed the risk (given who I am, where I work, etc.) to be vanishingly small, especially since my boot CDs are not the usual operating system. (Heterogeneous systems aren’t impervious, but at least they’re not as ridiculously vulnerable as a monoculture.)

      By the way, you don’t need to use an actual CD. There are bootable USB drives that load themselves into RAM so you can unplug them once the system has started up.