USB dead drop
A USB dead drop is a USB mass storage device installed in a public space. For example, a USB flash drive might be mounted in an outdoor brick wall and fixed in place with fast concrete. Members of the public are implicitly invited to find files, or leave files, on a dead drop by directly plugging their laptop into the wall-mounted USB stick in order to transfer data. (It is also possible to use smartphones and tablets for this purpose, by utilizing a USB on-the-go cable.) The dead drops can therefore be regarded as an anonymous, offline, peer-to-peer file sharing network. However, in practice USB dead drops are often used for social or artistic reasons, rather than for practical ones.
Background and history
The Dead Drops project was conceived by Berlin-based conceptual artist Aram Bartholl, a member of New York's F.A.T. Lab art and technology collective. The first USB dead drop network of five devices was started by Bartholl in October 2010 in Brooklyn, New York City. The name comes from the dead drop method of espionage communication. An unrelated system called "deadSwap," in which participants use an SMS gateway to coordinate passing USB memory sticks on to one another, was begun in Germany in 2009.
Each dead drop is typically installed without any data on the drive, except two files: deaddrops-manifesto.txt, and a readme.txt file explaining the project. Although typically found in urban areas embedded in concrete or brick since 2010, installation of USB dead drop into trees and other types of bodies in natural settings has also been mentioned since at least 2013. Wireless dead drops such as the 2011 PirateBox, where the user connects to a Wi-Fi hotspot with local storage rather than physically connects to a USB device, have also been created.
Comparison to other types of data transfer
Some of the advantages of utilizing USB dead drops are practical in nature: they permit P2P file sharing without needing any internet or cellular connection, sharing files with another person secretly/anonymously, and they record no IP address or similar personally identifying information. Other benefits are more social or artistic in nature: USB dead drops are an opportunity to practice "datalove" and can be seen as a way to promote off-grid data networks. The motive to utilize USB dead drops has been compared to what drives people involved in geocaching, which has been around for much longer and is somewhat similar in that often a set of GPS coordinates is used to locate a particular USB dead drop, in particular that USB dead drops give the user "the thrill of discovery" both in seeking out the location of the dead drop, and then also in addition when examining the data it contains.
Potential drawbacks to users
Dead drops are USB-based devices, which must be connected to an upstream computer system (laptop or smartphone or similar). The act of making such a connection, to a device which is not necessarily trusted, inherently poses certain threats:
- Malware: anyone can intentionally or unintentionally store malware on it that can infect an attached computer with malware such as a trojan horse, keylogger or proprietary firmware. This risk can be mitigated by using antivirus software, or by using a throwaway device for the act of data-transfer.
- Booby trap: a fake dead drop or USB Killer might be rigged up to electrically damage any equipment connected to it, and/or constitute a health and safety hazard for potential users. This risk can be mitigated by using a USB galvanic isolation adapter, which allows data exchange while physically decoupling the two circuits. Wifi-based dead drops do not suffer from this threat.
- Mugging: because a USB dead drop is normally in a public or quasi-public location, it is possible for the location itself to be watched, and users of the dead drop attacked when they attempt to use the system. (Compare with the risk of being mugged at night near an ATM outside a bank which is higher than the risk of being mugged during the day at the teller window inside the bank. Thieves target ATM users because they know most people are withdrawing money, which can then be stolen; thieves can also target USB dead drops, because they know that using one requires a laptop or similar consumer electronics device.)
Drawbacks to the system infrastructure
Publicly and privately available USB dead drops give anyone (with physical access) the ability to save and transfer data anonymously and free of charge. These features are advantages over the internet and the cellular network, which are at best quasi-anonymous and low-cost (there is always some fee associated although in certain scenarios such as government-subsidized or employer-subsidized or public-library-subsidized network access the end user may experience no direct costs). However, offline networks are vulnerable to various types of threats and disadvantages, relative to online ones:
- One device at a time: Users cannot plug in to a USB dead drop if someone else is already plugged in
- Removal of stored data: anyone with physical access can erase all of the data held within the USB dead drop (via file deletion or disk formatting), or make it unusable by encrypting the data or the whole drive and hiding the key (see also the related topic of ransomware).
- Removal of the entire device: thieves can steal the USB drive itself.
- Disclosure: anyone can disclose the location of a (formerly) private dead drop, by shadowing people that use it, and publishing coordinates in a public fashion. This impacts the anonymous nature of USB dead drops, since known drops can be filmed or otherwise observed.
- Vandalism of the dead drop by physical destruction: anyone with physical access can destroy the dead drop by using for instance pliers or a hammer, by high voltage from a static field, with high temperature from a blowtorch, or other methods of physical force. It is possible to make the USB key more difficult to vandalize or to extract, by sealing it in a hole deeper than the length of the USB key (at least 2 cm more), but this requires legitimate users to connect with a USB extender cable. For clarity, sometimes the installation of the dead-drop can itself be vandalism of the building; when a building owner destroys a dead drop placed without permission, they are not vandalizing the dead drop, but removing a device placed without their leave. Even when a device is placed legally, the device itself is vulnerable to third-party vandalism.
- Exposure to the elements: dead drops tend to be exposed to rain and snow, which will presumably reduce their service lifetime.
- Demolition or damage during maintenance: certain dead drop locations are limited to the lifespan of public structures. When a dead drop is embedded in a brick wall, the drop can be destroyed when the wall is destroyed. When a drop is embedded in a concrete sidewalk, the drop can be destroyed by sidewalk-related construction and maintenance. Sometimes dead drops are damaged when walls are repainted.
As of 2013, there were more than one thousand known USB dead drops (plus six known wifi-based dead drops). Countries which have large numbers of USB dead drops include the United States and several in Europe. As of 2016, it was estimated that the overall dead drop infrastructure contained more than ten terabytes of storage capacity, with the majority still in the United States and Europe, but also with significant numbers of devices reportedly installed in the Asia/Pacific region, South America, and Africa.
- "How to make your own". Deaddrops.com. 2013-06-10. Retrieved 2013-06-25.
- Hern, Alex (8 March 2015). "Dead Drops: what to do if you see a USB stick sticking out of a wall". The Guardian. Retrieved 9 March 2015.
- "Create a USB Dead Drop in Nature - All".
- "PirateBox". Archived from the original on 2012-11-28. Alt URL
- "WIDROP". Archived from the original on 2011-05-14.
- "Wireless drop".