Why Removable Media Still Works for Attackers: The Human Factor

In an industry shaped by zero-day exploits, AI-driven malware, and supply chain compromises, it’s easy to overlook a threat vector that’s as old as personal computing itself: the USB drive.

Removable media should be a solved problem. For over two decades, cybersecurity teams have warned users against plugging in unverified USB devices. And yet, removable media remains one of the most consistently successful methods of intrusion, especially in air-gapped or operational technology (OT) environments.

So why does it still work? The answer has less to do with technical vulnerabilities and more to do with human behavior.

Unverified Trust

One of the core assumptions that makes USB-based attacks effective is trust in physical familiarity. A USB stick doesn’t feel like a threat. It feels like a tool, something you’re supposed to use. If it’s handed to you by a colleague, sent by a vendor, or labeled with the name of a required update, your brain processes it as helpful, not hostile. This is exactly what attackers count on.

In a 2016 social engineering experiment conducted by researchers from the University of Illinois Urbana-Champaign, in collaboration with Google and the University of Michigan, 48% of the found USB drives were picked up and plugged in by users. When labeled with cues like “résumé” or “confidential,” engagement rates increased significantly; some categories reached a plug-in rate of up to 68%. The study demonstrated that even with basic security awareness, curiosity and trust often override caution when people encounter physical media in familiar environments.

The problem isn’t just that USBs are easy to carry and hard to trace. It’s that people don’t see them as dangerous, especially in environments where file-sharing via USB is a normal and expected practice.

Convenience Over Caution

Another reason USBs remain so effective is that they’re easy to use. In many OT networks, factories, utilities, and critical infrastructure, there’s no viable alternative to using removable media for tasks like:

• Transferring logs

• Installing firmware

• Applying patches or diagnostic tools

• Running updates on disconnected equipment

In environments where uptime is prioritized over process, convenience can override caution. This leads to workflows that skip security checks, not because people don’t care, but because they’re under pressure to complete tasks quickly.

The Vendor Blind Spot

Then there’s the third, often-overlooked issue: overreliance on vendor-supplied tools. Many OT teams are trained to trust the vendor above all else. If a USB drive is provided directly by a third-party maintenance provider or equipment manufacturer, it's usually treated as inherently safe. In some cases, this is necessary because the vendor tool only runs from that medium or includes embedded licenses, keys, or activation logic.

But this blind trust can backfire. In 2025, malware was discovered within the driver installer of a popular consumer UV printer, which was downloaded directly from the manufacturer’s website. The infection wasn’t on the USB stick. It was in the software that technicians would later move to a USB, then plug it into machines for installation. In that case, the USB wasn’t even the origin of the attack; it was just the bridge into the protected network.

The Fallout of a Simple Plug-In

When USB-based malware enters an operational environment, the consequences go far beyond infection.

• Process interruptions

• Device lockdowns

• Cross-contamination across zones

• Data exfiltration into unsecured paths

• Regulatory failures from traceability gaps

All of these can lead to operational downtime, compliance penalties, and long-term reputational damage. And it only takes one person, or one USB port, to make it possible.

Reducing Reliance on Human Judgment

At DataFlowX, we believe cybersecurity should never depend solely on user discretion. The solution isn’t endless awareness campaigns or more warning labels. It’s removing the choice altogether.

DataStationX is designed to eliminate human trust from the equation. It acts as a secure media transfer station, enforcing file inspection, access controls, and sanitization policies before files ever touch your internal network. It scans USB devices using multiple malware engines, validates content integrity, and applies threat intelligence to flag suspicious behaviors. Users can’t bypass it. USBs can’t shortcut it. And most importantly, security teams don’t have to rely on the hope that someone does the right thing under pressure.

Behavioral Risk Requires Architectural Controls

The USB attack vector isn’t going away. In fact, as other entry points become more hardened, attackers will increasingly exploit physical interfaces and human decisions. That means relying on endpoint security alone is no longer viable.

To protect critical systems, especially in OT and air-gapped networks, we need solutions designed with behavioral security in mind: solutions that assume users are moving quickly, trusting what they see, and doing what has worked in the past.

Contact us to set up a system that can eliminate risks by enforcing control where the file enters, not where the damage is done.