Metasploit Targets Hardware for IoT Security Penetration Testing

Open-source Metasploit penetration testing framework adds new hardware support, enabling researchers to target IoT devices, starting with automotive.

Metasploit security

Security vendor Rapid7 has been helping to lead the open-source Metasploit penetration testing framework project since October 2009, largely focused on software. On Feb. 2, Rapid7 announced a new expansion of Metasploit's capabilities to enable security researchers to directly link to hardware for vulnerability testing.

The new hardware enablement is currently in the open-source Metasploit framework and is available via GitHub. Additionally, Rapid7 plans on packaging the capability in the standard open-source Metasploit community edition.

Metasploit has always been able to connect to devices over standard wired and wireless Ethernet connections. The new hardware connectivity aims to go a step further and will enable specific hardware testing use-cases, beginning with automotive.

Craig Smith, director of transportation research at Rapid7, explained that once a device has support, Metasploit can utilize that device to run modules or custom scripts on that type of hardware.

"The hardware bridge API supports any type of hardware though, so if you wanted to make a relay for a JTAG tool you could," Smith told eWEEK. "Once the relay supported the API then you could interact with it through Metasploit or write modules for it."

JTAG is a hardware interface connection tool approach that is commonly used by researchers. Metasploit itself is made up of multiple modules and software tools that help researchers to explore and identify potential risks and vulnerabilities.

A core element of the Metasploit framework is the Meterpreter system that delivers payloads to execute on targeted systems. There is also the Mettle payload that can execute within a target system's memory. Smith explained that the Mettle payload provides meterpreter shells that allow researchers to investigate certain types of IoT systems.

"Mettle works well if you want to pivot through a router or printer system to reach further into a network," Smith said.

Smith explained that for compromising internet of things (IoT) devices, researchers will still use meterpreter or mettle. He added that the new hardware bridge is designed for tools the security team would use.

"Traditional security tools can only test exploits on Ethernet based systems," Smith said. "The hardware bridge allows you to plug in a piece of hardware and pivot to a non-Ethernet network such as Controller Area Network (CAN) bus or Software Defined Radio (SDR). "

Smith explained that there are extensions that group together a technology such as automotive. Security researchers can then write modules specifically for automotive systems, without having to worry about what type of automotive hardware is in use.

While Metasploit is a powerful framework that can often involve a high-degree of sophistication, it also has capabilities to help researchers to easy exploit targeted systems. The 'autopwn' capabilities in Metasploit provides users with a guided wizard approach to automatically exploit a target.

"If the IoT device has a full Ethernet stack and operating system, than the current autopwn system works fine," Smith said.

He added that Rapid7 is currently considering what an autopwn system would look like for vehicle systems. Smith explained that when exploiting physical systems, an autopwn wizard gets tricky because the success feedback is often physical and something that device may not easily be able to detect.

"Plus, since these are physical devices, we don't want to encourage blindly sending packets to, say a car or a medical device," Smith said.

Looking forward, Smith said that he is looking for community feedback on which hardware tools people want to see supported with Metasploit and how researchers envision using the bridge.

"Once we have a good foundation for the API we will release more extensions and modules for additional hardware," Smith said. "The automotive extension will get support for additional buses and more modules as well."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.