Rapid7 Enables IoT Hardware Security Testing with Metasploit
With more than 20 billion
“Every wave of connected devices — regardless of whether you’re talking about cars or refrigerators — blurs the line between hardware and software. As we like to say, this hardware bridge lets you exit the Matrix and directly affect real, physical things,” said
Metasploit Framework, Rapid7’s open source penetration testing software that helps verify vulnerabilities and conduct security assessments, traditionally relies on an Ethernet network to communicate. This announcement makes Metasploit the first general-purpose penetration testing tool able to go beyond traditional networking limitations by using raw wireless and direct hardware manipulation to test for vulnerabilities. Now, security teams can test IoT hardware and software, industrial control systems (ICS), and Software Defined Radio (SDR) for vulnerabilities. To test hardware with Metasploit previously, users created custom tools to interact with each one of their products, a resource-intensive process that took time away from assessing the security of products.
The initial release of the hardware bridge will focus on automotive capabilities, with extensions into other hardware verticals expected throughout the year, and joins a growing library of modules that target embedded, industrial, and hardware devices. Initial sample modules include capabilities on Controller Area Network (CAN bus), with plans for other bus systems, such as K-Line, to follow. Metasploit also currently includes a number of industrial control exploits for SCADA systems and auxiliary modules; there are modules for targeting at least eight different industrial control devices and several Denial of Service modules.
In addition to helping streamline vulnerability testing, the new capability will enable users to:
- Conduct comprehensive quality assessments of hardware, supported by Metasploit’s extensive library of exploits
- Leverage Metasploit as a learning and teaching tool for automotive and exotic hardware-based network research
- Write exploits that utilize hardware tools without having to worry about vendor specifics
- Use Metasploit to make automotive diagnostic decisions, removing the burden of low-level packet handling
Metasploit increases penetration testers’ productivity, validates vulnerabilities, and manages phishing awareness. The solution allows users to find vulnerabilities with automated penetration tests powered by the world’s largest exploit database through simulated, complex attacks. Based on those results, users are able to prioritize their biggest security risks to improve security outcomes. The Metasploit open source community, backed by hundreds of thousands of users and contributors, drives unique insights into the latest attacker methods and mindset.
To contribute to Metasploit Framework: https://github.com/rapid7/metasploit-framework/wiki/Contributing-to-Metasploit
For a free trial of Metasploit: https://rapid7.com/products/metasploit/download/
With Rapid7, technology professionals gain the clarity, command, and confidence to safely drive innovation and protect against risk. We make it simple to collect operational data across systems, eliminating blind spots and unlocking the information required to securely develop, operate, and manage today’s sophisticated applications and services. Our analytics and science transform your data into key insights so you can quickly predict, deter, detect, and remediate attacks and obstacles to productivity. Armed with Rapid7, technology professionals finally gain the insights needed to safely move their business forward. Rapid7 is trusted by more than 5,800 organizations across over 110 countries, including 37% of the Fortune 1000. To learn more about Rapid7 or get involved in our threat research, visit www.rapid7.com.
Rachel E. Adam Rapid7, Senior PR Manager firstname.lastname@example.org (857) 415-4443