CLUSIL logo
  • About
  • Team
  • Join us

USB Project: are dropped USB keys still a threat?

CLUSIL scattered USB keys across Luxembourg to find out whether removable media is still a credible attack vector — and what it means for your risk analysis.

The "lost USB key" is one of the oldest tricks in the social-engineering playbook: leave a drive in a car park, a lobby or a meeting room, and wait for someone curious enough to plug it into a computer. Years of awareness campaigns later, is the technique still effective? To answer that with field data rather than assumptions, CLUSIL ran a controlled experiment across Luxembourg.

We disseminated a number of harmless, instrumented USB keys in public and semi-public locations throughout the territory. The keys recorded only whether they were plugged in and their content opened — no malicious payload, no personal data collected. The goal was simple: measure, in 2025 conditions, whether the human reflex to plug in an unknown device persists.

The results confirm that removable media remains a live risk that belongs in every organisation's threat model. This page gathers our findings and the surrounding press coverage so members and the wider community can use them in their own awareness work and risk assessments.

Downloads

The full material is available as PDF:

Download the PPTX   Download the press release (PDF)

In the media

The project was covered by Luxembourg press and shared on our channels:

  • CLUSIL on LinkedIn — our post about the USB Project
  • BSIDES LUX 2026 — « Spreading Malware With USB Keys: A Does It Still Work »
  • Paperjam — « La clé USB rouge, la petite faiblesse qui vous perdra »
  • L'essentiel — « Au Luxembourg, pour tester la cybersécurité, ils ont semé des clés USB »
  • Luxembourg Times — « When curiosity kills your computer: Luxembourgers still plug in mystery USBs »

© CLUSIL a.s.b.l. — Luxembourg

Questions? info@clusil.lu • Mentions légales