Is this your USB? No, but check this QR code for a free meal! Assessing awareness against dropped USBs and malicious QR codes

Research output: Chapter in Book/Report/Conference proceedingArticle in proceedingsResearchpeer-review

36 Downloads (Orbit)

Abstract

Anecdotal and preliminary work suggests that USB dropping attacks can be successful while the misuse of QR codes has been steadily making the news. In this paper, we attempt to shed light into how these two attacks are met in practice by performing a series of studies against different types of target entities: a large university, two governmental agencies, and an NGO. For this we dropped a total of 235 USB drives (that contained harmless honeytokens) and placed 110 posters (with harmless QR codes). Our results suggest that QR codes are superior (680.91% total scan rate) to USB dropping attacks, possibly due to their ability to blend more easily into the attack environment along with social engineering elements. We also notice a strong bias in the public perception with USB drives appearing more dangerous than QR codes. USB drops (8.51% total activation rate) may still work but require precise and limited placement. Lastly, we examine how the effectiveness of these attacks depends on the targeted environments.
Original languageEnglish
Title of host publicationProceedings of the 7th Workshop on Attackers and Cyber-Crime Operations (WACCO 2025) : Co-located with the 10th IEEE European Symposium on Security and Privacy (Euro S&P)
Number of pages13
PublisherIEEE
Publication statusAccepted/In press - 2025
Event7th Workshop on Attackers and Cyber-Crime Operations - Venice, Italy
Duration: 30 Jun 202530 Jun 2025

Workshop

Workshop7th Workshop on Attackers and Cyber-Crime Operations
Country/TerritoryItaly
CityVenice
Period30/06/202530/06/2025

Bibliographical note

camera ready version for the proceedings of the 7th Workshop on Attackers and Cyber-Crime Operations (WACCO 2025) at IEEE European Symposium on Security and Privacy (EuroS&P) 2025

Fingerprint

Dive into the research topics of 'Is this your USB? No, but check this QR code for a free meal! Assessing awareness against dropped USBs and malicious QR codes'. Together they form a unique fingerprint.

Cite this