What is a USB Drop Attack?

3 min readNov 13, 2020


A USB drop attack occurs when an attacker strategically places a USB device somewhere potentially containing malicious code, with an intention of someone taking it and plugging it into a computer. This type of attack employs the use of social engineering, in terms of cyber security, is using the deceptive means to manipulate individuals into divulging information or performing some action.

Depending on the type of USB drop attack, an attacker may further manipulate victims into clicking on the files loaded on to the USB device.

This type of attack has been used for years by everyone from lowly “script kiddies” all the way to nation-state hacking groups. Depending on how this attack is deployed, it can be targeted to a single individual or organization or randomly distributed. A famous example of this attack is Stuxnet worm.

It is a malicious worm designed to destroy centrifuges used in SCADA system at specific nuclear plant in Iran. This worm had several versions found, some versions exploited several zero-day vulnerabilities, including in the centrifuges program on windows machines.

Why are these Attacks effective ?

The reason this attack is effective is because it uses humans natural curiosity and desire to help others against them. An effective attacker leverages humans innate curiosity to get a victim to take the USB device.

Attackers will add enticing files or file name within the device to further play on those human traits that made them pick up the device in the first place. The machines these devices get plugged into don’t do much checking either. Once the file is clicked, its up to the machine’s firewall and installed antivirus to stop anything malicious. There are few adequate countermeasures that machines take to stop strange USB devices that get installed.

Types of USB Drop Attacks —

USB Human Interface Device (HID) Spoofing:

This type of attack is very versatile because it can be used across different operating system platforms including windows, Mac OS and Linux. This attack cannot be used with every USB device but instead requires specific micro controllers that support keyboard emulation. Micro controllers is a essentially a tiny computer on a single integrated chip. HID spoofing devices can also be made from Arduino boards that are closed to the size of a typical flash drive.

Malicious File/Code:

This type of attack uses malicious files loaded onto an everyday flash drive. Once the victim opens a file containing the malicious code, the code activates. What this malicious files can do is endless, including downloading other malicious files from internet. Files used in these attacks are usually given enticing names to get victims to click on them. The advantage of using this version of attack versus HID spoofing is code can run entirely hidden from view if executed properly.

Social Engineering Links:

This attack involves the use of malicious phishing links. An attacker places a website link on the flash drive that directs the user to a phishing site or malware. These phishing site can masquerade as other sites such as email hosting sites like Gmail, Yahoo and others to trick the users to input their credentials. This attack is dependent on internet access and requires the victims computer to be connected to the internet.

USB Kill:

This attack is the most destructive out if all USB drop attack. When plugged in the USB kill creates a power surge destroying the machine. The vast majority of devices are not protected against this type attack. USB ports in machine have two functions, the power the USB devices and communication with USB devices. They have a few different versions with adapters (Micro, USB, USB-C, Lightning) to attach to other type of devices like smartphones.

Zero Day:

This type attack takes advantage of an undiscovered vulnerability in the machine’s software. It almost references the Stuxnet attack. Many cyber security experts will also call this a Zero Day Driver attack. This is because when machines have external devices connected the driver software is installed and there exists the possibility of having malicious code attached to that driver software.




Cybersecurity Comprehensive Coverage