Should pen testing devices be regulated?

Hacking and cyber attacks are something which IT professionals have had on their radars for a long time. At Equal Experts we work hard to incorporate cybersecurity holistically into our data products, so heading off would-be hackers is something that’s part of our day job. However, a recent spate of security attacks involving a tiny USB pen-testing device has highlighted just how easy it is for just about anyone to cause chaos on any device, without being detected. 

First, I should clarify what a pen-testing device is. Penetration testing is an important step in application development and is used to identify potential security gaps that could leave you at risk from hackers. Pen-testing devices are used by cybersecurity experts to legitimately test their products for vulnerabilities before they go to market. Essentially, they simulate attacks to identify solutions that will defend against criminal hacking. 

The problem is, these devices can be used to destroy pretty much any computer, from laptops and mobile phones to complex hardware. The potential damage could range from annoying (as in this case of a victim who experienced interruption to his phone usage) to catastrophic for UK businesses and public services. Take the student who used a legitimate testing device to destroy 66 pieces of hardware, resulting in more than $58,000 of damage at his college. Or USBKill, which claims to be the ultimate pentesting device, with “unstoppable attack modes” that can permanently disable almost anything; they even have a video showing how to disable laptops, smart TVs and peripherals. 

Pentesting devices are easy to use, and they’re available for anyone to buy online. 

Think about that for a minute. A small USB device that has the potential to fry any computer, or to gain access to people’s personal information. Suddenly, James Bond behaviour feels accessible to all of us! Like knives, cigarettes, alcohol and passports, I wonder if there ought to be rules in place about who can have one? 

Experienced engineers (especially those who grow up in organisations like ours, where trust is implicit) will argue that restrictions get in the way of agile processes, and I agree. Mark Zuckerberg’s famous motto “Move fast and break things” is a rule that generally serves us in software development. But, where there’s a risk that the tool which protects us might be misused to cause damage, isn’t it worth tolerating a framework of regulations to mitigate this?

Operating within a framework is nothing new to most organisations, no matter how much inherent trust there is in the business. Some clients have highly regulated environments that necessitate checks and agreements before individual engineers can make decisions. Our work with HMRC and His Majesty’s Passport Office is a clear example. Sensitive data needs handling sensitively, and agreements have to be in place to ensure security is a priority. We know how to do this. 

Now, I’m not for a minute suggesting that pen-testing devices should be banned. Like a knife, there are valid, ethical uses, and they’re invaluable tools in the right circumstances – you wouldn’t slice steak with a spoon. Equally, firearms are acceptable for sports like clay pigeon shooting, but there are regulations in place to ensure their safe use. It’s the same with pen-testing devices – you wouldn’t release a data product to market without testing its security protocols, and the easier that testing is, the better. 

But the sale of knives is regulated; we check who we’re selling them to, and some people aren’t allowed to have them at all. Don’t you think, given the potential for criminal damage via these simple USB devices, similar rules should apply?