Penetration test tools extend reach into embedded devices

The Metasploit collection of tools used by penetration testers to find security flaws in software now has a bridge to deeply embedded hardware devices, developed by analytics company Rapid7.

The Metasploit framework normally relies on Ethernet or equivalent access to machines in order to work. The Hardware Bridge API makes it possible for the Metasploit tools to access devices with much simpler network interfaces, or just serial ports. The initial release of the bridge provides functions to send and receive CAN messages: Rapid7 is focusing first on automotive security for its work.

Cesare Garlati, chief security strategist at the Prpl Foundation, welcomed the release of the bridge: “Being an advocate of open source, Prpl welcomes the ability for Metaspoilt to be used to test hardware, which is often neglected in pentesting typically limited to networks and network connectivity. Hardware is critical to journey to securing IoT devices.

“While the Metaspoilt update brings with it the potential for more vulnerabilities to be discovered, I think it must be used responsibly, with ethical hackers giving vendors enough time to address problems before they are disclosed to the wide world.”

Access to the deeply embedded targets is through a relay device that provides Ethernet access for the core Metasploit framework. The analysis tools use HTTP requests to send commands to the hardware devices and receive data from them. The bridge API is used to perform the necessary translation into messages that can be sent over a serial link or fieldbus to the embedded device.