Metasploit extends pen testing to IoT
February 7, 2017 Leave a comment
Rapid7 has updated its Metasploit Framework to allow for IoT hardware security testing, in a bid to improve security in the ever-expanding Internet of Things.
Security testers can now directly link hardware to the widely used framework – a vital pre-requisite for the development of safer, more secure IoT systems.
The update removes the need for security professionals to create custom tools for each product they wanted to test with Metasploit, making things quicker and easier all round, according to Rapid7.
Cesare Garlati, Chief Security Strategist at the prpl Foundation commented below.
Cesare Garlati, Chief Security Strategist at the prpl Foundation:
“Being an advocate of open source, prpl welcomes the ability for Metasploit to be used to test hardware, which is often neglected in pentesting typically limited to networks and network connectivity. Hardware is critical to journey to securing IoT devices.
“While the Metasploit update brings with it the potential for more vulnerabilities to be discovered, I think it must be used responsibly, with ethical hackers giving vendors enough time to address problems before they are disclosed to the wide world.”
“It will be a wake up call to device manufacturers to take the security of hardware in connected devices more seriously and in fact hardware is the key to making security more robust in connected devices. It also further confirms that security through obscurity just doesn’t work anymore and it’s time for a more proactive approach to securing embedded devices including using open source, security through separation with hardware virtualization and a root of trust established at the hardware level.
“Overall, this is a positive step for connected device security.”