USB Keys Lost On Trains Are A Major Source Of Malware

Losing a USB key on a train is all too easy, and a risky prospect if you keep important data on it. But if you find one, think twice before using it: one recent study suggests that it's extremely likely to contain malicious software.

Security software company Sophos purchased 50 USB keys at the 2011 auction of lost property by RailCorp in NSW. Of those, not one had any form of encryption, so the data on it was up for grabs. Perhaps more disturbingly, two-thirds of the USB sticks also contained some form of malware, so they represented a risk to anyone using them, even if the personal data on them wasn't stolen.

The lesson? Keep your USB keys close, minimise the amount of personal data you store on them, and use encryption if you do need to shift sensitive information. And if you do receive a USB key from any source, run it through your security software to eliminate any nasties.


    I remember the US(?) doing this in Iran(?). They'd leave USB sticks in a car park of a potential target, on which they had placed a virus/trojan, and unknowing staff were picking them up and infecting their computers.

    So here's a question I pose to more tech-savy readers.
    If you have auto-run disabled and plug an infected USB into your computer, have you already infected your system?

      Nope. Most of the viruses need to be run, and they do it by misleading you (e.g. having a program called "Open Folder to View Files" on it or changing your folders to shortcuts that point to the virus so it mostly looks like your folders, but they're actually viruses with enticing pictures like Spiderman or a woman in a bikini) so if you're extra careful, you should be alright. Just to be extra safe I'd boot into a Linux boot disk and check it.

    Why do I get the feeling that most of the people who lost their USB sticks weren't really that in to computers or their work and as a result had viruses on their USB stick?

    No concrete proof, just speculation and stereotyping, but that's how I feel :B

    Another problem I see here is why are they auctioning what could potentially be someone's private data. If it were sets of house and car keys I'm sure they wouldn't be auctioning them off so why USB sticks?

      agree - that kind of lost and found should be destroyed if not claimed. Yes it's a risk, and it's great that people are aware of it, but considering the purpose of the purchase was to read /study the data on the drives it has serious privacy implications. Though there was no mention of data stored on lost smart phones? What about their contents personal pictures/messages/emails/

    "USB Keys Lost On Trains Are A Major Source Of Malware"? Really?

    Only if you only use "people who randomly use found USB keys without checking the contents" as your sample-size.

    Your writer needs to be less dramatic in the headlines.

      It's a simple warning and simply good advice.
      Just in case you do end up being in the "sample-size"

      My boss found a USB key in his hotel in China and the silly duffer promptly inserted it in his computer.
      I found no obvious malware on his system but I re-imaged it just in case.

        Management and IT; entertainment for years to come.

    The WA government did an interesting security audit on the topic earlier this year, which you can read at

    Essentially, they found that most people who find a thumbdrive will immediately plug it in and run any software on it, either at work or at home.

    People are inquisitive. Any organisation with a thorough IT security policy will have planned for this exact scenario.

Join the discussion!

Trending Stories Right Now