14 DAY TRIAL // Taking into consideration the growing concern about Internet of Things (IoT) devices and the threat they pose to security, the Metasploit hacking kit has been upgraded to check out for bugs in modern devices too.
The Metasploit framework has been updated to link directly to hardware, which permits users to develop exploits to test their hardware and conduct penetration testing, said Craig Smith, Research Director of Transportation Security at Rapid7.
“The Hardware Bridge API extends Metasploit’s capabilities into the physical world of hardware devices. Much in the same way that the Metasploit framework helped unify tools and exploits for networks and software, the Hardware Bridge looks to do the same for all types of hardware,” Smith said.
Thousands of researchers use the open-source penetration testing software and it’s been used for 1,600 exploits and 3,300 penetration testing modules so far.
Now that the Hardware Bridge API was updated, users no longer have to limit themselves to Ethernet network connections, being allowed to build support directly into firmware. Alternatively, they can use a REST API, necessary for some hardware tools that don’t have the option of communicating over Ethernet.
The age of IoT is unsecure
This has become necessary as more and more devices become connected, whether we’re talking about the car you drive to work, the refrigerator at home or your coffee machine. The safety of all these devices is often problematic and many have been breached over the years, using them as tools for DDoS attacks and as gateways into the local networks.
The release that was just announced focuses on automotive penetration testing, but can be used for other devices as well. “This allows exploit developers to focus on writing automotive tools without having to worry about the attached hardware. It also provides internal Metasploit APIs to make common automotive calls easier, such as getting the vehicle speed or requesting a security access token from the Engine Control Unit (ECU),” the report reads.
In time, more modules will be released, targeting embedded, industrial and hardware devices, Rapid7 says.