Getting people to bypass standard security best practices seems to be easy if these standard users find a stray USB drive. In this test described by Elie Bursztein, we find that people will plug a USB drive they found into their computer without regard to the potential security risk.
To put this attack to the test, we dropped nearly 300 USB sticks on the University of Illinois Urbana-Champaign campus and measured who plugged in the drives. We find that users picked up, plugged in, and clicked on files in 48% of the drives we dropped. They did so quickly: the first drive was connected in under six minutes. This blog post summarizes how we ran the study, highlights the key findings, looks at what motivates people to plug in USB sticks, and discusses possible mitigations to improve USB security.
As visible on the chart below, USB sticks with labels that invoke curiosity are more likely to be opened than USB sticks without any distinctive marking. The surprising part is that attaching physical keys to elicit altruistic behavior was most effective. As discussed below, altruistic behavior is the number one reason users report for opening the keys. Keys with an attached return label were the least open likely because people had another mean to find the owner. Note that the differences in opening rate are NOT statistically significant, except that the drives with return labels were less frequently connected.