Rapid7, Inc. (NASDAQ: RPD), a leading provider of data and analytics solutions for security and IT, today announced that security teams can now link hardware directly into the Metasploit Framework for vulnerability testing. The new capability allows users to focus on developing exploits to test their hardware — rather than dedicating resources to building and supporting multiple tools — and makes Metasploit the first general-purpose penetration testing tool to test both hardware and software directly.
With more than 20 billion Internet of Things (IoT) devices expected by 2020, the ability to secure all facets of that ecosystem, including hardware and extending through to the software, depends on comprehensive testing, to keep both organizations and consumers safe and secure. This announcement demonstrates Rapid7’s continued dedication to empowering IT and security teams to effectively and safely design, build, and deploy technology to drive innovation across industries. The news also follows the November launch of the Company’s IoT Strategic Consulting and Assessment Services.
“Every wave of connected devices — regardless of whether you’re talking about cars or refrigerators — blurs the line between hardware and software. As we like to say, this hardware bridge lets you exit the Matrix and directly affect real, physical things,” said Craig Smith, director of transportation research at Rapid7 and author of the new capability. “We’re working to give security professionals the resources they need to test and ensure the safety of their products, no matter what side of the virtual divide they’re on.”
Metasploit Framework, Rapid7’s open source penetration testing software that helps verify vulnerabilities and conduct security assessments, traditionally relies on an Ethernet network to communicate. This announcement makes Metasploit the first general-purpose penetration testing tool able to go beyond traditional networking limitations by using raw wireless and direct hardware manipulation to test for vulnerabilities. Now, security teams can test IoT hardware and software, industrial control systems (ICS), and Software Defined Radio (SDR) for vulnerabilities. To test hardware with Metasploit previously, users created custom tools to interact with each one of their products, a resource-intensive process that took time away from assessing the security of products.
The initial release of the hardware bridge will focus on automotive capabilities, with extensions into other hardware verticals expected throughout the year, and joins a growing library of modules that target embedded, industrial, and hardware devices. Initial sample modules include capabilities on Controller Area Network (CAN bus), with plans for other bus systems, such as K-Line, to follow. Metasploit also currently includes a number of industrial control exploits for SCADA systems and auxiliary modules; there are modules for targeting at least eight different industrial control devices and several Denial of Service modules.
In addition to helping streamline vulnerability testing, the new capability will enable users to:
Metasploit increases penetration testers’ productivity, validates vulnerabilities, and manages phishing awareness. The solution allows users to find vulnerabilities with automated penetration tests powered by the world’s largest exploit database through simulated, complex attacks. Based on those results, users are able to prioritize their biggest security risks to improve security outcomes. The Metasploit open source community, backed by hundreds of thousands of users and contributors, drives unique insights into the latest attacker methods and mindset. Rapid7 works with the user community to regularly add new exploits, currently boasting more than 1,600 exploits and 3,300 modules.
To contribute to Metasploit Framework: https://github.com/rapid7/metasploit-framework/wiki/Contributing-to-Metasploit
For a free trial of Metasploit: https://rapid7.com/products/metasploit/download/
With Rapid7, technology professionals gain the clarity, command, and confidence to safely drive innovation and protect against risk. We make it simple to collect operational data across systems, eliminating blind spots and unlocking the information required to securely develop, operate, and manage today’s sophisticated applications and services. Our analytics and science transform your data into key insights so you can quickly predict, deter, detect, and remediate attacks and obstacles to productivity. Armed with Rapid7, technology professionals finally gain the insights needed to safely move their business forward. Rapid7 is trusted by more than 5,800 organizations across over 110 countries, including 37% of the Fortune 1000. To learn more about Rapid7 or get involved in our threat research, visit www.rapid7.com.