I suppose it's a neat concept, though I still don't get why you'd use this over another means if you already have building physical access.

Assuming you're pentesting, either you're trying to get someone to willingly plug it in (to ethernet and all power stuff too?), have physical access yourself (in which case why not use something cheaper), or are already allowed in (why add another device?)

One example I can see is something like testing branches of a financial institution. Send out 100 of these things to branches all over the country and just have the manager plug them in. You don't even have to tell them what it is.

It's much easier and cost effective than to roll a truck and when your finished you can mail them to another branch. Or just leave them in place for future spot checks.

Article says it's wifi and bluetooth. It probably just needs to sit under a desk with nothing plugged in, like so many power strips are doing right now.

Anyone else think that device is a disaster waiting to happen? The example shows sending a "whoami" command to the device via SMS, and then the device responds "root" via SMS. Uh, what's to keep someone else from hijacking it via SMS for their own purposes? A "bad guy" would have to figure out that there's one on the network, but it would still concern me to have a remote-controlled device on the network that's open to arbitrary SMS-sent commands.

"If you saw this bad boy under your desk, would you say anything?"

Well, at this point, wouldn't anyone who has read this article be suspicious of a power strip under their desk that wasn't there yesterday and maybe even had nothing plugged into it?

Why would you trust hardware you are not really sure you control (do you know all the backdoors and bugs in that thing?) and knowingly give it access to your networks? It's already a hacking power tool, it only needs the hacker.

For the same reason you would trust a security consultant to attempt to penetrate your network's defenses and find deficiencies. Any of your employees could bring in a similar device, what are you going to do about it?

With a real one in place, you can come up with a strategy. Maybe your IT team comes up with regular sweeps for cell signals, then the security consultant decides that the cell signal is only active during short periods of time in the day. Perhaps you secure your power sockets, and then the consultant uses the fact that your janitor needs a plug to vacuum and doesn't find a power strip suspicious.

So, Darpa is providing remotely accessible hacking devices to companies as test equipment and encouraging them to install them in sensitive locations of their buildings. Is this some advanced form of comedy security trolling on the part of Darpa? Like an "If you install this, then you have failed the test already", kind of thing.