Ethredix Ethredix
CS

Lost or Loaded? Found a USB? Leave It Be — The Hidden Danger of USB Dropping Attacks

Finding a flash drive on a bench or in a store triggers a natural instinct — to return it to the owner, to quickly check what’s on it, or to keep it. Sadly, attackers exploit that instinct. In this article, I describe common techniques, real risks, and simple rules to keep you safe.

Author: Tomáš Reading time: ~5 minut
Illustration: found USB on a bench
⚠️
One simple rule

Found a USB? Do not plug it in. If you must check the contents, do so only on an isolated machine with no access to sensitive data or the internet.

Why it works

When we find something, most of us want to help or at least find the owner. Attackers know this, so they leave “lost” USBs in places where they’ll be found. One impulse is enough — someone plugs it in and the damage begins.

Threats have evolved: once it was mainly AutoRun and automatic program execution; today attackers use more sophisticated techniques that can bypass common protections.

A short note on AutoRun

AutoRun was originally developed in 1995 for Windows 95 to simplify software installation from CD/DVD. With the advent of USB drives, this functionality extended to them as well. Since 2009 with the update for Windows XP, and by default since Windows 7, AutoRun for USB media has been blocked. If you have AutoRun enabled, anything can happen — from malware execution or ransomware encrypting your files, to backdoor installation for remote access or the theft of sensitive data. Today this feature is blocked by default, so unless you manually enabled AutoRun, you are protected against this type of attack.

HID attacks — devices that “type” for you

Some fake USBs look like ordinary flash drives, but the OS identifies them as keyboards. The danger is that they can immediately send keystrokes — opening a terminal, downloading malware, or changing system settings.

In practice this means the software doesn’t need a vulnerability — the attacker simply types commands as if they were a human at the keyboard.

HID device

Source: m.media-amazon.com

Looks like USB, but behaves differently inside.

Tip: if a device starts “typing” or asks for credentials without warning, unplug it immediately.

USB Killer — Physical Destruction and Hardware Protection

There is another, lesser-known threat: devices that aim to damage hardware rather than steal data. A so-called USB Killer sends a high-voltage pulse (up to 240 V) into the port, which can fry the USB controller or even the entire motherboard. Only hardware protection helps against this kind of attack — ordinary antivirus software won’t.

Types of Hardware Protection

  • USB Condoms:
    They work by physically interrupting the data lines in the USB cable. Inside, they only have connected power wires (+5V and GND), while the data wires (D+ and D-) are completely removed. The device can only charge but CANNOT communicate with the computer. This protects against HID attacks and data-based attacks, but does NOT protect against USB Killer high-voltage attacks.
  • Opto-isolators:
    They use LEDs and phototransistors to transmit data without electrical connection. The data signal is converted to light, which passes through an isolation barrier and is converted back to an electrical signal on the other side. This creates galvanic isolation that blocks high voltage transmission.
  • Fuse modules:
    They contain fast fuses or polyfuses that immediately interrupt the circuit when overcurrent or overvoltage is detected. Some more advanced versions also have varistors or TVS diodes that absorb voltage spikes and protect sensitive components.

Lifespan and Usability

Quality hardware protections can last for years of normal use. Opto-isolators have a technical lifespan of about 100,000 operating hours, USB condoms almost unlimited – as they contain noactive components. Fuse modules protect until they burn out and must then be replaced.

Let’s be honest – how many of us actually use such devices? Even though various forms of protection exist, most can be bypassed in practice. Ultimately, the best protection remains the user’s caution.

Other risks

  • Ransomware or a trojan that executes after connection.
  • Firmware infection — a more persistent compromise.
  • Data theft if you test on a machine with access to sensitive files.

What to do in practice

As we mentioned at the beginning, the best and safest approach is to not deal with the USB drive at all and leave it where it is. If you have already picked it up and have it with you, the safest option is to throw it in the trash. If you have the opportunity, you can hand over the USB to the IT department at your work or school — they should know how to handle such devices safely.

If you still decide to check the contents of the USB with your own eyes, connect it exclusively to a computer that is not connected to the internet, has none of your personal information or data, and is a computer whose loss or destruction would not be a problem for you.

Available technical protections

  • USB "condoms": block data lines and allow only charging.
  • Opto-isolators or specialized adapters: they isolate signals and can help against high-voltage attacks.
  • For organizations: Device Control and EDR tools to block unauthorized devices.

Short practical examples

Stuxnet (2009)

Stuxnet was one of the first known cases where a USB drive became a direct attack vector against isolated industrial systems. The malware was found in Iranian SCADA environments and infected PLCs controlling uranium centrifuges. Attackers relied on infected USB drives carried by maintenance staff between air-gapped computers. Stuxnet then manipulated the centrifuges’ operation at the Natanz nuclear facility, causing physical damage. It proved that even offline networks can be compromised when data is moved physically.

Organizational incidents

Many organizations have experienced incidents where a found or lost flash drive caused serious consequences. In 2017, a USB stick containing over 2.5 GB of sensitive Heathrow Airport security data—including camera layouts and access details—was found on a London street. Similarly, in hospitals and offices, connecting an unknown USB device has led to ransomware outbreaks and system downtime. Such events have driven companies to adopt stricter internal policies—banning personal USB media and deploying endpoint control software to monitor connected devices.

Conclusion

USB dropping is a simple but effective way to exploit human curiosity. By combining common sense with a few sensible technical measures we can significantly reduce risk. The most powerful defense remains the caution of each individual.

Glossary

USB dropping

A cyber attack where attackers intentionally leave configured USB devices in public places to exploit human curiosity and willingness to help.

HID attacks

A technique where USB devices pretend to be human interface devices (keyboards/mice) and can immediately send commands to the computer.

USB Killer

A specially modified USB device that sends high voltage into the port with the aim of physically destroying hardware.

USB condoms

Adapters that physically block data lines and only allow power, preventing data-based attacks.

Opto-isolators

Devices using light to transmit data across an isolation barrier, creating galvanic separation.

Fuse modules

Hardware components containing fuses or polyfuses that protect against overvoltage and overcurrent.

AutoRun

A Windows feature that automatically runs programs from removable media. Blocked for USB since Windows 7.

Ransomware

Malicious software that encrypts victim's data and demands ransom for its restoration.

Trojan

Malicious program that disguises itself as legitimate software but performs hidden malicious functions.

Firmware

Low-level software embedded directly into hardware.