I don't buy the pen testing part. I might as well sell a hammer and call it a pen testing device. Funny enough they have the following on their website:
"A hammer used maliciously can permanently damage to a third party's device. The USB Killer, used maliciously, can permanently damage a third party's device."
Contrary to this device a hammer can be used a useful tool too.
It's probably most useful as an education tool, training staff not to plug random USB devices they find lying around the parking lot into their computers.
It's like hiring a gunman to start shooting up your office to train people about the dangers of social engineering, to prove that some people shouldn't be trusted.
Creating it and selling it is an obvious attempt to profit from the custom of those who wish to use it to actively harm others. There's literally no other reason for anybody to buy an "anonymous" one over a standard one which says what it does on the stick, and yet they're charging $5 more for the anonymous one...
It's a curiosity item. I would buy an anonymous one if they were $30 or less. It's interesting to have around, a conversation piece. The anonymous one increases the interest, because it better demonstrates the danger, the precariousness.
I don't think that it was a joke or made in bad faith - rather to demonstrate the logical extreme.
Essentially that the logical extreme of dropping computer-destroying USBs to demonstrate that one shouldn't plug strange USBs in the first place is akin to destroying an office that you talked yourself into to prove that you shouldn't have been let in in the first place. Perhaps "shooting up" was a tad too far, but with charity it's a reasonable point nonetheless.
Right, it wasn't supposed to be a joke, and the intended argument was that hiring a gunman as social engineering training makes as much sense as using a computer-destroying USB stick as physical security training—so yes, it was supposed to be a bad example of social engineering.
Using a computer-destroying USB stick as an example of physical security threats misunderstands the nature and motivations of attackers. Everyone past childhood (and some in childhood, sadly) understands that there are a few people in this world whose motivation is to cause destruction and hurt simply because they find destruction and hurt enjoyable in themselves. They also understand that such people are rare, and that their threat modeling (which everyone does, even if they don't call it that) should rationally respond to such people by almost ignoring them—otherwise you find yourself not leaving your house for fear that there's a gunman on your block.
The motivations of people who want to actually get something out of you are quite different. They're not interested in destruction, because that would harm their target. They're usually interested in being undetectable. A social engineer will pretend to be locked out, ask meekly to be let in, and behave like a normal employee until they get what they need and leave normally. Defenses like "don't let people tailgate" work for those people. A gunman will just shoot you, break the door, ignore the alarm, and keep shooting until the cops kill them.
Similarly, someone who's trying to attack your business with a malicious USB drive will give you a USB drive that appears to be a normal one, that maybe pops up a terminal window very briefly and then disappears. You likely won't notice that you made a mistake, and you'll probably see an actual drive pop up on screen. Someone who's trying to attack your business will generally not give you a USB drive that destroys your computer immediately. (For most businesses, computers are not worth much compared to the secrecy of the data they contain, anyway, which is why full-disk encryption is a reasonable defense; it assumes that a computer might be lost and that this is recoverable.)
So a good security training program should say "These are ways where people might try to subtly break in to gain access that you might not have thought of before," not "Sadistic sociopaths exist, wear plate armor at all time."
Might make sense, yeah. How many computers would get blown up during such a test, and how much productivity would be lost and how much money would it cost? What is the expected cost of a major breach or malware infection? How much less likely does a breach or malware infection become as a result of leaving one of these laying around? I actually wouldn't be surprised if leaving these did come out positive, in much the same way that regular fire drills come out positive.
I would think a USB containing an info graphic about the dangers of plugging in random USBs is a far more efficient education tool than one that destroys the hardware of your staff. Worse, what if they took it home and used it on a personal device?
"A hammer used maliciously can permanently damage to a third party's device. The USB Killer, used maliciously, can permanently damage a third party's device."
Contrary to this device a hammer can be used a useful tool too.