Abstract
Anecdotal and preliminary work suggests that USB dropping attacks can be successful while the misuse of QR codes has been steadily making the news. In this paper, we attempt to shed light into how these two attacks are met in practice by performing a series of studies against different types of target entities: a large university, two governmental agencies, and an NGO. For this we dropped a total of 235 USB drives (that contained harmless honeytokens) and placed 110 posters (with harmless QR codes). Our results suggest that QR codes are superior (680.91% total scan rate) to USB dropping attacks, possibly due to their ability to blend more easily into the attack environment along with social engineering elements. We also notice a strong bias in the public perception with USB drives appearing more dangerous than QR codes. USB drops (8.51% total activation rate) may still work but require precise and limited placement. Lastly, we examine how the effectiveness of these attacks depends on the targeted environments.
| Original language | English |
|---|---|
| Title of host publication | Proceedings of the 7th Workshop on Attackers and Cyber-Crime Operations (WACCO 2025) : Co-located with the 10th IEEE European Symposium on Security and Privacy (Euro S&P) |
| Number of pages | 13 |
| Publisher | IEEE |
| Publication status | Accepted/In press - 2025 |
| Event | 7th Workshop on Attackers and Cyber-Crime Operations - Venice, Italy Duration: 30 Jun 2025 → 30 Jun 2025 |
Workshop
| Workshop | 7th Workshop on Attackers and Cyber-Crime Operations |
|---|---|
| Country/Territory | Italy |
| City | Venice |
| Period | 30/06/2025 → 30/06/2025 |