Connect with us

Hi, what are you looking for?



Metaspoit’s New RFTransceiver Finds Security Flaws in IoT Radio Communications

The Internet of Things is pervasive, rapidly growing, and largely insecure. Researchers have discovered security flaws in products ranging from baby alarms and dolls, to motor vehicles and medical equipment — and the likelihood is that there are many more simply not yet discovered.

The Internet of Things is pervasive, rapidly growing, and largely insecure. Researchers have discovered security flaws in products ranging from baby alarms and dolls, to motor vehicles and medical equipment — and the likelihood is that there are many more simply not yet discovered.

Metasploit has now released a new hardware bridge extension to help researchers and pentesters — and IoT user organizations — discover security flaws in IoT radio communications. While many of the known flaws are found in consumer devices, IoT devices are increasingly making their way into and onto business premises; and it is very difficult for security teams to control them. 

“Wireless systems often control alarm systems, surveillance monitoring, door access, server room HVAC controls, and many other areas,” writes Craig Smith, Transportation Research Lead at Rapid7 in a blog announcement today. These same devices can often contain flaws that can be used by attackers, but are unknown to the user.

With Metasploit’s new RFTransceiver radio frequency testing extension, companies will be able to better understand their true security posture. They will, suggests Smith, “be able to test physical security controls and better understand when foreign IoT and other devices are brought onto the premises.”

In October 2016, Rapid7 reported a vulnerability in a medical insulin pump. The pump was remotely controlled, but communication was sent between the controller and the device in cleartext rather than encrypted. This could allow a hacker to spoof the controller and trigger unauthorized insulin injections. The problem for security teams is that there is no easy way to know what communication happens between a device and its control server.

“We strongly believe,” writes Smith, “that RF testing is an incredibly important — though currently often overlooked — component of vulnerability testing. We believe that failing to test the usage of radio frequency in products puts people and organizations at risk. We also believe the importance of RF testing will continue to escalate as the IoT ecosystem further expands.”

His “often overlooked” comment is valid and serious. Freelance security consultant and researcher Robin Wood (aka DigiNinja pentester) told SecurityWeek, “Being able to easily test RF that isn’t the standard 802.11 wifi is going to be really useful for physical tests where clients are really switched on and want to know exactly what is going on in their environments.

Advertisement. Scroll to continue reading.

“Unfortunately, at the moment I find this type of client is few and far between but, as the technology to do the testing gets cheaper and easier to use, hopefully more testers will start using it and offering it as a service which will then start drawing more clients in; in turn increasing the exposure of RF based devices and so creating a feedback loop.”

Wood believes that the Metasploit capability will “make it easier for people to do research in this area which again will start to increase awareness and hopefully the overall security.”

The danger, of course, is that criminal elements could also use Metasploit to find flaws suitable for exploiting. It is a criticism that has always been leveled against Metasploit, and one that Smith mentions. “The most common criticism of any technology created for the purpose of security testing is that bad guys could use it to do bad things.” But he adds that the bad guys are already doing bad things, and the best defense is to know what they can do. “Sunlight is the best disinfectant,” he adds.

F-Secure is at least one security firm that agrees. “RF has traditionally been a fruitful attack vector,” a spokesperson told SecurityWeek, “so maybe the availability of more tools in the field will improve that situation. When a widely-used tool like Metasploit starts offering a module that allows this sort of work, it lowers the entry barrier considerably. We may see more device manufacturers starting to pay attention to the RF attack vectors against their devices, but we are also almost certain to see more attacks from this angle as well.”

At the same time, F-Secure is aware of the dangers. “This sort of technology is very much ‘dual use’ in the sense that while it is essential to security researchers and red teams, it can also be used as an attack tool by malicious parties.”

Senior security consultant Taneli Kaivola added, “Now that the door has been opened for the wider public, we can expect to see the scope and capability of this tool expanding. I fully expect to see SDRs (software defined radios, adding additional frequencies) supported in the framework popping up like mushrooms in the rain.”

Chester Wisniewski, principal research scientist at Sophos told SecurityWeek, primarily sees the dangerous side. “Rapid7 is correct that RF testing can be a critical component in many areas of security research, but it is very different from traditional pentesting tools. To me this is a concerning development. Take average hacker-types with no knowledge of RF and the regulatory frameworks designed to allow our devices to work and provide them a tool that can send and receive signals with almost no knowledge.

“What could possibly go wrong?” he asks. “Other than breaking just about anything that operates over RF in a difficult to detect manner… I just don’t think making it a toolkit anyone can use is a good idea. Software-defined radios have already breached this wall, but I suspect simplifying their use will end in tears.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.