Two thirds of a random assortment of USB flash drives bought second-hand at an Australian rail company lost property auction turned out to be infected with malware, security company Sophos has reported.
Despite being light-hearted and not particularly scientific, the survey offers an alarming insight into the insecure working life of the average USB drive, at least as far as suburban Australia is concerned.
The company purchased three bags of drives at auction, 57 in total, lost on the Rail Company New South Wales network, at a cost of Australian dollars 268 ($409); 50 drives turned out to be in working order.
After noting that the same drives could be bought for roughly half that sum when new, Sophos analysed the contents of the working units, which had a median FAT capacity of 2GB. Astoundingly, 33 of the 50 drives contained malware, with one drive containing four different types of malware.
Although the researchers found no Mac malware, nine of the keys were formatted to work on Apple. Six of these contained PC malware, which underlines the oft-heard maxim that if PC malware isn’t a threat to Apple computers, Apple users can still be an inadvertent threat to PCs.
Predictably, many of the drives contained personal data, including CVs, tax returns, minutes of activist meetings, personal photographs, university assignments, and even source code.
None of the 50 drives was encrypted or appeared to contain any encrypted files or hidden directores. Not a single drive had a password stopping the researchers from accessing it.
“One person went to the trouble of writing his name on his key in indelible ink, which tied up nicely with the name recorded in the Document Properties metadata in his Word and Powerpoint files,” said Paul Ducklin of Sophos in a blog.
The Sophos teams recommends that users buy only USB sticks that come with encryption, and use drives on machines with decent antivirus software to avoid external drives becoming hidden spreaders of malware.
The team also warns people not to waste money on over-priced second-hand drives bought at auction but perhaps that’s missing the point. On the basis of this survey, such drives would be a bargain of personal data for a professional criminal on the hunt for personal data.