Security Experts:

Rapid7 Adds Hardware Testing Capabilities to Metasploit

Rapid7 has added a hardware bridge to its Metasploit penetration testing framework, making it easier for users to analyze Internet of Things (IoT) devices. The company said this enhancement makes Metasploit the first general purpose pentesting tool.

Metasploit has allowed researchers to conduct security assessments using Ethernet communications, but now they will also be able to link the tool directly to the hardware via raw wireless and direct hardware manipulation.

Up until now, the framework could be used for hardware testing by creating custom tools for interaction with the targeted product, which Rapid7 says is a time-consuming and resource-intensive process. The new capability allows users to focus on a more important task: developing exploits.Metasploit with hardware bridge

The first release of the hardware bridge focuses on automotive systems, particularly the Controller Area Network (CAN) bus, but the company plans on adding modules for other types of systems in the upcoming period.

According to Rapid7, pentesters can now use Metasploit to analyze industrial control systems (ICS), IoT hardware and software, and software defined radio (SDR). The company believes the new capability makes Metasploit an ideal tool for conducting hardware-based network research.

“Every wave of connected devices – regardless of whether you’re talking about cars or refrigerators – blurs the line between hardware and software. As we like to say, this hardware bridge lets you exit the Matrix and directly affect real, physical things,” said Craig Smith, director of transportation research at Rapid7 and developer of the new capability. “We’re working to give security professionals the resources they need to test and ensure the safety of their products -- no matter what side of the virtual divide they’re on.”

Metasploit already has more than 1,600 exploits and 3,300 modules, and new components are being developed regularly with the aid of hundreds of contributors. According to the Metasploit Project, 190 people made contributions to the framework last year.

Related: Rapid7 Appointed CVE Numbering Authority

Related: Rapid7 Analyzes Attacks In, Across, Against the Cloud

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.