Back in July 2017, Bitdefender researcher Marius Tivadar discovered an exploit in Windows operating systems that allows anyone with physical access to a computer to invoke a BSOD by simply inserting a USB thumb drive loaded with a bit of software. He reported the issue to Microsoft, but at the time they brushed him off. Now, he's stepping out with details and a demonstration to raise awareness of this vulnerability. What makes this exploit so intriguing is that Tivadar's proof-of-concept showed that he could force a BSOD even if the Windows machine was locked. Tivadar writes, "One can generate [a BSOD] using a handcrafted NTFS image. This Denial of Service type of attack, can be drive from user mode, limited user account or Administrator."
He was able to verify his findings using Windows 7 Enterprise, Windows 10 Pro and Windows 10 Enterprise. The attack is possible because Auto-Play is enabled by default, which causes the operating system to automatically access the USB thumb drive, which executes the code found on the NTFS image. However, even disabling Auto-Play won't completely save you from a BOSD according to Tivadar.
Any program that attempts to access the USB thumb drive (for example, an automatic system scan by Windows Defender) would trigger a BSOD. This could be a particularly nasty way of messing with a friend or coworker by plugging a USB thumb drive into the back of their desktop without them knowing. Or imagine a scenario where you're engaged in a high-profile gaming tournament and someone decides to "take you out" with a BSOD. Other more nefarious attacks could be carried out through this method as you might imagine as well. Scenarios where people lose valuable work are obvious. However, if this vulnerability finds its way to server level operating systems (which was not proven out yet), an entire infrastructure could theoretically be brought down.