The Internet of Things is pervasive, rapidly growing, and largely insecure. Researchers have discovered security flaws in products ranging from baby alarms and dolls, to motor vehicles and medical equipment — and the likelihood is that there are many more simply not yet discovered.
Metasploit has now released a new hardware bridge extension to help researchers and pentesters — and IoT user organizations — discover security flaws in IoT radio communications. While many of the known flaws are found in consumer devices, IoT devices are increasingly making their way into and onto business premises; and it is very difficult for security teams to control them.
“Wireless systems often control alarm systems, surveillance monitoring, door access, server room HVAC controls, and many other areas,” writes Craig Smith, Transportation Research Lead at Rapid7 in a blog announcement today. These same devices can often contain flaws that can be used by attackers, but are unknown to the user.
With Metasploit’s new RFTransceiver radio frequency testing extension, companies will be able to better understand their true security posture. They will, suggests Smith, “be able to test physical security controls and better understand when foreign IoT and other devices are brought onto the premises.”
In October 2016, Rapid7 reported a vulnerability in a medical insulin pump. The pump was remotely controlled, but communication was sent between the controller and the device in cleartext rather than encrypted. This could allow a hacker to spoof the controller and trigger unauthorized insulin injections. The problem for security teams is that there is no easy way to know what communication happens between a device and its control server.
“We strongly believe,” writes Smith, “that RF testing is an incredibly important — though currently often overlooked — component of vulnerability testing. We believe that failing to test the usage of radio frequency in products puts people and organizations at risk. We also believe the importance of RF testing will continue to escalate as the IoT ecosystem further expands.”
His “often overlooked” comment is valid and serious. Freelance security consultant and researcher Robin Wood (aka DigiNinja pentester) told SecurityWeek, “Being able to easily test RF that isn’t the standard 802.11 wifi is going to be really useful for physical tests where clients are really switched on and want to know exactly what is going on in their environments.
“Unfortunately, at the moment I find this type of client is few and far between but, as the technology to do the testing gets cheaper and easier to use, hopefully more testers will start using it and offering it as a service which will then start drawing more clients in; in turn increasing the exposure of RF based devices and so creating a feedback loop.”
Wood believes that the Metasploit capability will “make it easier for people to do research in this area which again will start to increase awareness and hopefully the overall security.”
The danger, of course, is that criminal elements could also use Metasploit to find flaws suitable for exploiting. It is a criticism that has always been leveled against Metasploit, and one that Smith mentions. “The most common criticism of any technology created for the purpose of security testing is that bad guys could use it to do bad things.” But he adds that the bad guys are already doing bad things, and the best defense is to know what they can do. “Sunlight is the best disinfectant,” he adds.
F-Secure is at least one security firm that agrees. “RF has traditionally been a fruitful attack vector,” a spokesperson told SecurityWeek, “so maybe the availability of more tools in the field will improve that situation. When a widely-used tool like Metasploit starts offering a module that allows this sort of work, it lowers the entry barrier considerably. We may see more device manufacturers starting to pay attention to the RF attack vectors against their devices, but we are also almost certain to see more attacks from this angle as well.”
At the same time, F-Secure is aware of the dangers. “This sort of technology is very much ‘dual use’ in the sense that while it is essential to security researchers and red teams, it can also be used as an attack tool by malicious parties.”
Senior security consultant Taneli Kaivola added, “Now that the door has been opened for the wider public, we can expect to see the scope and capability of this tool expanding. I fully expect to see SDRs (software defined radios, adding additional frequencies) supported in the framework popping up like mushrooms in the rain.”
Chester Wisniewski, principal research scientist at Sophos told SecurityWeek, primarily sees the dangerous side. “Rapid7 is correct that RF testing can be a critical component in many areas of security research, but it is very different from traditional pentesting tools. To me this is a concerning development. Take average hacker-types with no knowledge of RF and the regulatory frameworks designed to allow our devices to work and provide them a tool that can send and receive signals with almost no knowledge.
“What could possibly go wrong?” he asks. “Other than breaking just about anything that operates over RF in a difficult to detect manner… I just don’t think making it a toolkit anyone can use is a good idea. Software-defined radios have already breached this wall, but I suspect simplifying their use will end in tears.”