Metasploit Update Extends Pen Testing to IoT

Rapid7 has updated its Metasploit Framework to allow for IoT hardware security testing, in a bid to improve security in the ever-expanding Internet of Things.

Security testers can now directly link hardware to the widely used framework – a vital pre-requisite for the development of safer, more secure IoT systems.

The update removes the need for security professionals to create custom tools for each product they wanted to test with Metasploit, making things quicker and easier all round, according to Rapid7.

“Every wave of connected devices — regardless of whether you’re talking about cars or refrigerators — blurs the line between hardware and software. As we like to say, this hardware bridge lets you exit the Matrix and directly affect real, physical things,” said Craig Smith, director of transportation research at Rapid7.

“We’re working to give security professionals the resources they need to test and ensure the safety of their products, no matter what side of the virtual divide they’re on.”

The update will allow for pen testing of IoT hardware and software, industrial control systems (ICS), and Software Defined Radio (SDR) for vulnerabilities – although the hardware bridge will be rolled out first in the connected car space.

The Metasploit open source community has thus far created 1,600 exploits and 3,300 modules, and this latest development is likely to drive that number even higher.

Cesare Garlati, chief security strategist for the non-profit prpl Foundation, welcomed the move by Rapid7, claiming it could provide a much-needed wake-up call to IoT manufacturers.

"While the Metaspoilt update brings with it the potential for more vulnerabilities to be discovered, I think it must be used responsibly, with ethical hackers giving vendors enough time to address problems before they are disclosed to the wide world,” he added

"It also further confirms that security through obscurity just doesn’t work anymore. It’s time for a more proactive approach to securing embedded devices including using open source, security through separation with hardware virtualization and a root of trust established at the hardware level.”

Estimates put the number of connected devices at anywhere between 20 and 50 billion by 2020, which is forcing stakeholders to get serious about security.

The latest announcement came from DigiCert last week: Auto-Provisioning has been designed for IoT device manufacturers and owners to provision secure digital certificates at scale. 

What’s Hot on Infosecurity Magazine?