Suppose someone wants me to copy some files to their USB stick. I'm running fully-patched Windows 7 x64 with AutoRun disabled (via Group Policy). I insert the USB drive, open it in Windows Explorer and copy some files to it. I do not run or view any of the existing files. What bad things could happen if I do this?

What about if I do this in Linux (say, Ubuntu)?

Please note that I'm looking for details of specific risks (if any), not "it would be safer if you don't do this".

    Looking at a directory listing is unlikely to be a risk. Opening a malicious PDF in an old unpatched version of Adobe reader could be a big risk. In some cases even an image preview or a file icon could contain an exploit.
    – david25272
    Commented Jan 31, 2014 at 3:58
    @david25272, even looking at a directory listing could be a risk.
    – tangrs
    Commented Jan 31, 2014 at 5:28
    It's a little bit like getting into an elevator with a stranger, most of the time you're fine, but if the stranger is aka Hannibal Lecter...
    – PatrickT
    Commented Jan 31, 2014 at 6:35
    You could break your uranium centrifuge en.wikipedia.org/wiki/Stuxnet
    – RyanS
    Commented Jan 31, 2014 at 16:16
    @tangrs, that's a great example of the sort of thing I was looking for. Why not post it as an answer?
    – EM0
    Commented Feb 1, 2014 at 14:33

Less impressively, your GUI file browser will typically explore files to create thumbnails. Any pdf-based, ttf-based, (insert turing-capable file type here)-based exploit that works on your system could potentially be launched passively by dropping the file and waiting for it to be scanned by the thumbnail renderer. Most the exploits I know about that are for Windows, though, but do not underestimate the updates for libjpeg.

    That is a possibility, so +1. Does Windows Explorer (or Nautilus) do this even if you never view thumbnails?
    – EM0
    Commented Jan 31, 2014 at 21:53
    @EM Could happen - recent versions of explorer might, for example, construct thumbnails in sub-folders for pretty folder icons at the root, even if those subfolders are set never to show thumbnails.
    – Tynam
    Commented Feb 1, 2014 at 0:03
  • Or maybe not try to display thumbnails, but rather some sort of metadata Commented Feb 3, 2014 at 20:08
    This is not specific to a USB mounted filesystem. If a file browser has a vulnerability it could be triggered by files downloaded to your computer through other means too, such as email attachments or downloads through browser.
    – HRJ
    Commented Mar 2, 2014 at 14:28

The worst that can happen is limited only by your attacker's imagination. If you're going to be paranoid, physically connecting pretty much any device to your system means it can be compromised. Doubly so if that device looks like a simple USB stick.

What if it's this? enter image description here

Pictured above is the infamous USB rubber ducky, a little device that looks like a normal pen drive but can deliver arbitrary keystrokes to your computer. Basically, it can do as it pleases because it registers itself as a keyboard and then enters whatever sequence of keys it wants. With that kind of access, it can do all sorts of nasty things (and that's just the first hit I found on Google). The thing is scriptable so the sky's the limit.

    Nice one, +1! In the scenario I had in mind the USB stick is known to be an actual storage device and I trust the person who gives it to me to not maliciously infect my computer. (I'm mostly concerned they may be the victim of a virus themselves.) But this is an interesting attack I hadn't considered. I suppose with a keyboard emulator like this I'd probably notice something weird going on, but there might be stealthier ways...
    – EM0
    Commented Jan 30, 2014 at 20:42
    I approve of this answer. Makes the OP think :)
    – steve
    Commented Jan 30, 2014 at 20:49
    +1 "The worst that can happen is limited only by your attacker's imagination."
    – Newb
    Commented Jan 31, 2014 at 0:39
    Hak5 - looks legit!
    – david25272
    Commented Jan 31, 2014 at 4:00
    Apparently the USB connection protocol is quite similar to the older PS/2 port protocol, which is why USB is commonly used for Mice and Keyboards. (I could be wrong of course - I'm digging this up from my own memory, which features mostly lossy compression)
    – Pharap
    Commented Feb 1, 2014 at 13:14

Another danger is that Linux will try to mount anything (joke suppressed here).

Some of the file system drivers are not bug free. Which means that a hacker could potentially find a bug in, say, squashfs, minix, befs, cramfs or udf. Then that hacker could create a file system that exploits that bug to take over a Linux kernel and put that on a USB drive.

This could theoretically happen to Windows as well. A bug in the FAT or NTFS or CDFS or UDF driver could open up Windows to a takeover.

    There is a whole level further down. Not only do file-systems have bugs, but the whole USB stack has bugs, and lots of that runs in the kernel.
    – Fake Name
    Commented Jan 31, 2014 at 6:09
  • 4
    And even your USB controller's firmware may have weaknesses that may be exploited. There's been an exploit of crashing into Windows with a USB stick merely at device enumeration level.
    – sylvainulg
    Commented Jan 31, 2014 at 15:57
    As for "linux trying to mount anything", this is not the system's default behaviour, but is linked to your file explorer proactively trying to mount. I'm sure spelunking manpages could unveil how to de-activate this and return to "mount only on demand".
    – sylvainulg
    Commented Jan 31, 2014 at 15:59
    Both Linux and Windows try to mount everything. The only difference is that Linux might actually succeed. This is not a weakness of the system but a strength.
    – terdon
    Commented Feb 2, 2014 at 15:25
    Windows actually can be crashed just by inserting a badly formatted drive. I did it a couple of times (and that made me really angry) Commented Oct 18, 2015 at 12:32

There are several security packages that allow me to set up an autorun script for either Linux OR Windows, automatically executing my malware as soon as you plug it in. It is best not to plug in devices that you do not trust!

Bear in mind, I can attach malicious software to pretty much any sort of executable that I want, and for pretty much any OS. With autorun disabled you SHOULD be safe, but AGAIN, I don't trust devices that I am even the slightest bit skeptical about.

For an example of what can do this, check out The Social-Engineer Toolkit (SET).

The ONLY way to truly be safe is to boot up a live Linux distribution, with your hard drive unplugged.. And mount the USB drive and take a look. Other than that, you're rolling the dice.

As suggested below, it is a must that you disable networking. It doesn't help if your hard drive is safe and your whole network gets compromised. :)

    Even if AutoRun is disable there are still exploits that exist that take advantage of certain truths. Of course there are better ways to infect a Windows machine. Its best to scan unknown flash drives on hardware dedecated to that task, which is wiped daily, and restored to a known configuration if rebooted.
    – Ramhound
    Commented Jan 30, 2014 at 18:59
  • 2
    For your final suggestion, you may want to include disconnecting the network too, if the Live CD instance does get infected it could go infect other machines on the network for a more persistent foothold. Commented Jan 30, 2014 at 19:15
  • 6
    Ramhound, I'd like to see examples of the exploits you mentioned (presumably patched by now!) Could you post some as an answer?
    – EM0
    Commented Jan 30, 2014 at 20:46
  • 5
    @EM, there was a zero-day exploit a while ago that took advantage of a vulnerability in how the icon was displayed in a shortcut file (.lnk file). Just opening the folder containing the shortcut file is enough to trigger the exploit code. A hacker could have easily put such a file on the root of the USB drive so when you open it, the exploit code would run.
    – tangrs
    Commented Jan 31, 2014 at 5:25
  • 4
    > The ONLY way to truly be safe is to boot up a live Linux distribution, with your hard drive unplugged… — nope, a rogue software can also infect firmware. They are very poorly protected nowadays. Commented Oct 18, 2015 at 12:34

The USB stick may actually be a highly charged capacitor... I am not sure if modern motherboards have any protection from such surprises, but I wouldn't check it on my laptop. (it could burn all devices, theoretically)


see this answer: https://security.stackexchange.com/a/102915/28765

and video from it: YouTube: USB Killer v2.0 testing.


Some malware/virus get activated when we open a folder. The hacker may use the feature of Windows (or Linux with Wine) which start to make an icon/thumbnail of some files (for example .exe, .msi, or .pif files, or even folders with a malware icon) on opening a folder. The hacker finds a bug in programs (like the program that create a thumbnail) to make it possible for the malware to get in action.

Some faulty devices may kill your hardware, especially the motherboard, and most times silently, so you may not aware of it.


Apparently a simple USB device can even fry the entire motherboard:

A Russian security researcher known as "Dark Purple" has created a USB stick that contains an unusual payload.

It doesn't install malware or exploit a zero-day vulnerability. Instead, the customised USB stick sends 220 Volts (technically minus 220 Volts) through the signal lines of the USB interface, frying the hardware.



The worst thing which could happen is the infamous BadBios infection. This supposedly infects your USB Host controller by pluging it into your computer regardless of your OS. There are a limited range of manufacturers of USB chips, and so exploiting all of them isn't too far fetched.

Of course not everyone believes BadBios is real, but it is the worst thing which could happen to your computer by plugging in a USB drive.


This is pretty much how the entire US Department of Defense's classified network was compromised. A USB stick was left on the ground in a car park outside a DOD site. Some genius picked it up took it inside and plugged it in, modern day espionage is so boring. I mean a USB stick in a carpark, bring back 007!


