Vulnerability testing for software and networks is both necessary and ubiquitous, giving rise to tools such as the open source Metasploit framework. This can seek out weaknesses, run exploits and mimic attacks in the wild against corporate services.

The missing link is hardware. Given the difficulty of linking hardware directly to testing solutions, companies have typically relied on purpose-built services to ensure security. According to Dark Reading, however, a new Hardware Bridge API for Metasploit extends the functionality of this tool beyond the virtual, allowing security experts to directly hack their own hardware.

A Storm Is Brewing

While on-premises and cloud-based applications have been the go-to choice of cybercriminals over the last few years, this focus is changing as more Internet of Things (IoT) devices hit the market and more industrial enterprises opt for internet-facing control systems. The result is a potential hardware hacking deluge as attackers look for ways to breach physical systems and cause havoc.

As noted by Electronic Engineering Journal, for example, the growing popularity of 3-D printers comes with concern. If fraudsters are able to alter the firmware of these devices, they can change the configuration of output materials without detection. Sure, the changes would have to be small — joints slightly out of place or holes moved — but when it comes to strength-intensive applications that depend on specific design features, this kind of breach could be devastating.

Hackaday, meanwhile, pointed to the increasing number of “covert channels” that target hardware by bridging the air gap. It’s now possible to use fan sounds as a way to exfiltrate information, temperature variations to introduce malware and vibration to recreate keystrokes. Put simply, a storm of hardware hacks is brewing, and most companies aren’t ready for the rain.

How the Hardware Bridge Works

Dark Reading reported that the new Metasploit hardware bridge aims to reduce the complexity of device-based security tests, specifically in the automotive space. Security firm Rapid7, which owns the Metasploit project, announced plans to roll out support for additional verticals later this year.

So how does the hardware bridge work? Instead of relying on Ethernet, it leverages a combination of wireless communication and direct hardware manipulation, allowing manufacturers to enable support for Metasploit in firmware or create a relay service for devices without Ethernet access.

The Importance of Vulnerability Testing

According to Rapid7 developer Craig Smith, this allows companies “to utilize hardware to reach areas you couldn’t before,” such as a vehicle’s Controller Area Network (CAN) bus system, Dark Reading said. This, in turn, allows automakers to test for threats on devices that are not exposed to traditional networks but could pose serious risk if compromised.

Researchers have already demonstrated the ability to change a moving vehicle’s direction or speed by compromising its network-based components. Given the growing push for self-driving vehicles, it’s impossible to overstate the need for direct, straightforward hardware vulnerability testing.

Software and network testing are solid starting points, but in an IoT-enabled world, they’re simply not enough. Open source, easy-to-use hardware hacking tools represent the next step toward effective, physical cyberdefense.

More from

More School Closings Coast-to-Coast Due to Ransomware

Instead of snow days, students now get cyber days off. Cyberattacks are affecting school districts of all sizes from coast-to-coast. Some schools even completely shut down due to the attacks. The federal government recently warned that K-12 schools face a growing threat from cyber groups. According to the FBI, school districts often have limited cybersecurity protections, which makes them even more vulnerable. The FBI also says it anticipates the number of threats to increase. In a recent warning, the nation’s…

The Role of Human Resources in Cybersecurity

The human resources (HR) department is an integral part of an organization. They work with all departments with a wider reach than even IT. As a highly visible department, HR can support and improve an organization’s security posture through employee training. Their access to employees at the start of employment is an opportunity to lay a foundation for a culture of risk awareness. HR departments do not typically include cybersecurity risk awareness training with new hire onboarding, but it’s something…

New Attack Targets Online Customer Service Channels

An unknown attacker group is targeting customer service agents at gambling and gaming companies with a new malware effort. Known as IceBreaker, the code is capable of stealing passwords and cookies, exfiltrating files, taking screenshots and running custom VBS scripts. While these are fairly standard functions, what sets IceBreaker apart is its infection vector. Malicious actors are leveraging the helpful nature of customer service agents to deliver their payload and drive the infection process. Here’s a look at how IceBreaker…

Operational Technology: The evolving threats that might shift regulatory policy

Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. Attacks on Operational Technology (OT) and Industrial Control Systems (ICS) grabbed the headlines more often in 2022 — a direct result of Russia’s invasion of Ukraine sparking a growing willingness on behalf of criminals to target the ICS of critical infrastructure. Conversations about what could happen if these kinds of systems were compromised were once relegated to “what ifs” and disaster movie scripts. But those days are…