Rapid7, Inc. announced that security teams can now link hardware directly into the Metasploit Framework for vulnerability testing. The new capability allows users to focus on developing exploits to test their hardware — rather than dedicating resources to building and supporting multiple tools — and makes Metasploit the first general-purpose penetration testing tool to test both hardware and software directly.

With more than 20 billion Internet of Things (IoT) devices expected by 2020, the ability to secure all facets of that ecosystem, including hardware and extending through to the software, depends on comprehensive testing, to keep both organizations and consumers safe and secure. This announcement demonstrates Rapid7’s continued dedication to empowering IT and security teams to effectively and safely design, build, and deploy technology to drive innovation across industries.

“Every wave of connected devices — regardless of whether you’re talking about cars or refrigerators — blurs the line between hardware and software. As we like to say, this hardware bridge lets you exit the Matrix and directly affect real, physical things,” said Craig Smith, director of transportation research at Rapid7 and author of the new capability. “We’re working to give security professionals the resources they need to test and ensure the safety of their products, no matter what side of the virtual divide they’re on.”

Metasploit Framework, Rapid7’s open source penetration testing software that helps verify vulnerabilities and conduct security assessments, traditionally relies on an Ethernet network to communicate. This announcement makes Metasploit the first general-purpose penetration testing tool able to go beyond traditional networking limitations by using raw wireless and direct hardware manipulation to test for vulnerabilities. Now, security teams can test IoT hardware and software, industrial control systems (ICS), and Software Defined Radio (SDR) for vulnerabilities. To test hardware with Metasploit previously, users created custom tools to interact with each one of their products, a resource-intensive process that took time away from assessing the security of products.

The initial release of the hardware bridge will focus on automotive capabilities, with extensions into other hardware verticals expected throughout the year, and joins a growing library of modules that target embedded, industrial, and hardware devices. Initial sample modules include capabilities on Controller Area Network (CAN bus), with plans for other bus systems, such as K-Line, to follow. Metasploit also currently includes a number of industrial control exploits for SCADA systems and auxiliary modules; there are modules for targeting at least eight different industrial control devices and several Denial of Service modules.

In addition to helping streamline vulnerability testing, the new capability will enable users to:

  • Conduct comprehensive quality assessments of hardware, supported by Metasploit’s extensive library of exploits
  • Leverage Metasploit as a learning and teaching tool for automotive and exotic hardware-based network research
  • Write exploits that utilize hardware tools without having to worry about vendor specifics
  • Use Metasploit to make automotive diagnostic decisions, removing the burden of low-level packet handling

Metasploit increases penetration testers’ productivity, validates vulnerabilities, and manages phishing awareness. The solution allows users to find vulnerabilities with automated penetration tests powered by the world’s largest exploit database through simulated, complex attacks. Based on those results, users are able to prioritize their biggest security risks to improve security outcomes. The Metasploit open source community, backed by hundreds of thousands of users and contributors, drives unique insights into the latest attacker methods and mindset. Rapid7 works with the user community to regularly add new exploits, currently boasting more than 1,600 exploits and 3,300 modules.