Why you shouldn’t insert any old USB stick in to your laptop

And so, the story begins…

*Names have been changed

One spring evening, *Peter (a Townley Group Cyber Security Specialist) arrived at a popular café chain after a long day of ethical hacking on client site. As most people do in cafes, Peter ordered a bite to eat and a coffee, with caramel syrup of course, and carried his tray over to a quiet corner so he could eat in peace!

Peter sat down and pulled out his phone and his house keys and put them on the table next to his tray. He sipped away on his coffee and it wasn’t long until he was deep in thought about all the games he was going to play when he got home – he couldn’t wait to thrash some of his work colleagues later that night!

After a short while, Peter had finished the last bite of his ciabatta and made his way over to the car park, feeling satisfied and content. He parked up at home and made it to his door step. Putting his hands in his pockets, he began to feel around for his keys, he patted himself down, but couldn’t feel them or hear a jingle. Peter frantically started turning his pockets inside out, checking his laptop bag and hunting through his car.

He could not find his keys anywhere!

 

This meant that not only was he now locked out of his flat, but he also had other things on his set of keys that would be a pain in the neck to replace – plus his favourite rubber ducky gadget. And that’s when it occurred to him – his rubber ducky! (A small device that looks exactly like a USB stick and can be configured to do some pretty dodgy things once plugged into a user’s machine.)

Peter’s rubber ducky was configured to reveal any usernames and passwords typed on a keyboard and then send them to his server (provided the rubber ducky was plugged into a USB port) – as this is what he had been doing in his ethical hacking tests earlier that day!

He realised that if a stranger were to plug this in and start typing, he would be able to see what they had typed and perhaps this could give him enough of a clue as to who this person was, and even better, perhaps it meant there was a slight possibility that he could retrieve his keys.

It was now just a waiting game…

 

To Peter’s delight, it took a matter of about 18 hours before someone plugged in the rubber ducky. Peter’s eyes lit up as he examined all the keystrokes that this mystery person had made. He saw that the stranger had logged into various online accounts, such as their work email account, Facebook and Amazon. This left Peter with a name an email address and the stranger’s place of work. (Great! But it also meant Peter had the stranger’s login and password details for various accounts, which was not so great for the stranger!)

Peter decided to email this person, and explain what had happened – he realised that it sounded a bit crazy and that the stranger was probably very confused, nevertheless, they arranged to meet so the keys could be returned to their rightful owner.

Peter also made sure to let the stranger know that they should change their password for all the accounts that they had accessed during the period of time that the rubber ducky was inserted – just for their own peace of mind!

And so, it was a happy ending after all…But it might not have been.

Moral of the story

Despite a happy ending here for Peter, the stranger was lucky that Peter is an ethical hacker and not a black hat hacker! Because if Peter were a black hat hacker, he would have been able to do a lot of damage with the details he recovered.

Peter really appreciated the fact that someone plugged his rubber ducky in, because it meant he managed to locate his keys, but at the same time, he understood that this could’ve worked out quite badly for the stranger or for anyone that had put this device into their machine! Imagine if the person that plugged this in was someone of authority that was typing lots of confidential information on their PC!

So, essentially, the moral of the story is… never put any device that is not yours or you are unfamiliar with, into your PC (regardless of whether you are trying to help or not!)

You have no idea what may be on there, or what it could potentially do!