Does Dropping USB Drives in Parking Lots and Other Places Really Work?

Explore the effectiveness and implications of the infamous "USB drop" hacking technique in this Black Hat conference talk. Delve into a rigorous study conducted at the University of Illinois Urbana-Champaign campus, where nearly 300 USB drives were strategically dropped to measure user interaction. Discover shocking results, with 98% of drives picked up and 48% of users not only plugging them in but also accessing files. Gain insights into factors influencing drive retrieval, user motivations, and the psychology behind this social engineering tactic. Learn about various USB-based attack methods, including Human Interface Device (HID) exploits, and explore their pros and cons. Understand the ethical considerations and approval process for conducting such research. Examine the study's framework, mindset, and methodology, including labeling strategies and drop locations. Analyze the speed of drive access, key appearance impact, and most effective drop sites. Witness demonstrations of dropping keys and Metasploit payloads. Dive into the technical challenges of crafting payloads, USB fingerprinting, and creating custom USB devices. Explore defensive strategies against these attacks and consider the broader implications for physical and cybersecurity.

Introduction
Eddie Burstein
Mr Abou
The Question
Types of Attacks
Social Engineering Attack
HID
Pros and Cons
How Effective
Getting Approval
The Framework
The Mindset
The Label
Parking Lot
Inside Building
Parking Lot Drop
What Happened
Did It Work
Study Results
Speed of Opening
Key Appearance
Drop Location
Why People Open The Keys
The Most Open Keys
Dropping Keys
Dropping Keys Demo
Metasploit Demo
Human Interface Devices
Challenges
How do you craft the payload
Gotchas
Code
USB Fingerprinting
River Shell
Notes
Macro
Windows
GitHub
Soldering
Silicone Key
Casting
Excess resin
First attempt
Lubricant
Results
Cost
Lazy approach
How to defend
Do you want one
Advanced HID keys
Outro