Security researcher Alejandro Hernandez expands his 2017 research on vulnerabilities found in popular mobile trading, desktop and web stock trading applications

Las Vegas, NV – August 7, 2018 — IOActive, Inc., the worldwide leader in research-driven security services, today announced new vulnerabilities the research team has discovered in mobile, desktop and web stock trading applications. IOActive Senior Security Consultant, Alejandro Hernandez, will be presenting his vulnerability findings at Black Hat Las Vegas on Thursday, August 9th at 11am PT in his talk, “Are You Trading Stocks Securely? Exposing Security Flaws in Trading Technologies.”

His research expands upon his original 2017 research on mobile trading applications. At Black Hat, Hernandez will discuss how he tested several stock trading and cryptocurrency trading technologies including 16 desktop applications, 30 websites, and 34 mobile applications and discovered major vulnerabilities that can allow malicious actors to gain access to a user’s personal banking information through desktop and web applications, steal money and gain insights into net worth and investment strategies.

Hernandez commented, “I published my original research nearly a year ago, and it’s deeply concerning that some of the same vulnerabilities have still not been fixed.”

Similar to his research last year, Hernandez found that the usernames and passwords can easily be stolen from stock trading networks. This year, he found many vulnerabilities including unencrypted authentication, communications, passwords and trading data, and remote Denial of Service (DoS) that can leave applications useless. In addition, he found issues with weak password policies, hardcoded secrets and poor session management.

“Imagine a stock trader in a coffee shop, using public Wi-Fi. An attacker would be able to easily perform a man-in-the-middle attack and identify or modify the network traffic that is unencrypted,” says Hernandez. “For example, the attacker could see the username and password of the trader’s account and later login through a web browser, link his or her bank account, sell the stocks at market price to liquidate the investments, transfer the money, remove the added bank account and log out.”

“Alejandro’s continued research and discovery of major flaws in stock trading technologies will hopefully be a wakeup call to the financial industry,” said Jennifer Steffens, CEO of IOActive. “They need to implement the strong security controls they already have in place for banking applications and follow industry best practices to properly develop mobile, desktop and web applications, and continuously scan them for vulnerabilities.”

All of the vendors impacted by these stock trading vulnerabilities have been notified. IOActive cannot confirm whether or not they are fixed at this point in time.

Seattle, WA – April 11, 2018 – IOActive, Inc., the worldwide leader in research-driven security services, today announced the expansion of its Red and Purple Team Practice to further strengthen its customers’ security posture and incident response capabilities through realistic adversarial emulation. (more…)

SEATTLE, WA March 9, 2018 — IOActive, Inc., the worldwide leader in research-driven security services, released a blog post today outlining how its researchers, Cesar Cerrudo and Lucas Apa, conducted the first-ever ransomware attack on robots. The blog post titled, “Robots Want Bitcoins too!,” details the hack of commercially-available Pepper and NAO robots (more…)

Seattle, WA – January 11, 2018 – IOActive, Inc., the worldwide leader in research-driven security services, and Embedi, a cybersecurity startup company focused on immunizing IoT/embedded/smart end-point devices against 0- and 1-day attacks, today released a white paper outlining 147 cybersecurity vulnerabilities found in 34 mobile applications used in tandem with Supervisory Control and Data Acquisition (SCADA) systems. (more…)

Seattle, WA – Oct. 26, 2017 – IOActive, Inc., the worldwide leader in research-driven security services, today released a new advisory documenting critical cybersecurity vulnerabilities affecting Stratos Global’s AmosConnect communication shipboard platform. Stratos Global, an Inmarsat company, is the leading provider of maritime communications services in the world and used by thousands of ship vessels globally. (more…)

Seattle, WA – July 26, 2017 – IOActive, Inc., the worldwide leader in research-driven security services, today released the details surrounding a number of cybersecurity vulnerabilities found in widely deployed Radiation Monitoring Devices (RDMs). RDMs are used to monitor the radiation found in critical infrastructure, such as nuclear power plants, seaports, borders, and even hospitals. (more…)

Researchers Present New Discoveries in Radiation Monitoring Devices, BSD Kernels, IoT Insecurity, and More in Las Vegas

Black Hat USA 2017, Las Vegas, NV – July 24, 2017 – IOActive, Inc., the worldwide leader in research-driven security services, today announced the company will be delivering several presentations during Black Hat USA 2017 and DEF CON 25 this week in Las Vegas.

“The IOActive team works tirelessly to identify highly impactful security vulnerabilities to ensure our team stays ahead of the attackers who target our clients,” said Jennifer Steffens, CEO of IOActive. “Our team is once again going to Las Vegas in force to share new and compelling security research, tools and trends with the InfoSec community. This year’s lineup of talks will break new ground, identifying vulnerabilities in nuclear radiation monitoring systems, exploits in IoT devices, and more.”

IOActive has a long history of delivering industry-defining security research at Black Hat and DEF CON, including talks on hacking automobiles, ATMs, SATCOM systems, traffic control systems, semi-conductors, and more.

Overview of Briefings at Black Hat USA 2017
Go Nuclear: Breaking Radiation Monitoring Devices
Ruben Santamarta | Principal Security Consultant at IOActive
Wednesday, July 26 | 4:00pm | Jasmine Ballroom

Taking Over the World Through MQTT – Aftermath
Lucas Lundgren  | Senior Security Consultant at IOActive
Thursday, July 27 | 2:30pm | Jasmine Ballroom

Overview of IOActive Black Hat Arsenal Participants
Egression
Daniel Miessler | Director of Advisory Services at IOActive
Wednesday, July 26 | 2:30pm | Business Hall, Level 2, Station 5

Invtero.net – Volatile Memory Analysis at Scale – The Highest Performing and Forensic Platform for Windows x64
Shane Macaulay (aka K2) | Director of Incident Readiness at IOActive
Thursday, July 27 | 10:00am | Business Hall, Level 2, Station 3

Overview of DEF CON Presentations
(Un)F!@#ing Forensics: Active/Passive (i.e. Offensive/Defensive) Memory Hacking/Debugging
Shane Macaulay (aka K2) | Director of Incident Readiness at IOActive
Saturday, July 29 | 10:30am | Track 4

Are All BSDs Created Equal? A Survey of BSD Kernel Vulnerabilities
Ilja van Sprundel | Director of Penetration Testing at IOActive
Sunday, July 30 | 12:00pm | Track 2

IOActive IOAsis at Black Hat
IOActive is also holding its annual IOAsis event during Black Hat USA 2017 at Mandalay Bay in the Palm B room (third level) on Wednesday and Thursday, July 26 and 27. The event will feature four additional security talks by IOActive experts on Wednesday, July 26.

About IOActive
IOActive is the industry’s only research-driven, high-end information security services firm with a proven history of better securing our customers through real-world scenarios created by our security experts. Our world-renowned consulting and research teams deliver a portfolio of specialist security services ranging from penetration testing and application code assessment to chip reverse engineering across multiple industries. IOActive is the only security services firm that has a dedicated practice focusing on Smart Cities and the transportation and technology that connects them. Global 500 companies across every industry continue to trust IOActive with their most critical and sensitive security issues. Founded in 1998, IOActive is headquartered in Seattle, US, with global operations through the Americas, EMEA, and Asia Pac regions. Visit www.ioactive.com for more information. Follow IOActive on Twitter: http://twitter.com/ioactive.

###

Seattle, Wash. – July 13, 2017 – IOActive, Inc., the worldwide leader in research-driven security services, has announced the speaker lineup and location of its annual IOAsis Las Vegas event, this year held in partnership with Black Hat USA 2017.

“Our Las Vegas IOAsis event presents a tremendous opportunity to share and collaborate with our security industry peers and community,” said Jennifer Steffens, CEO of IOActive. “We are excited to offer a fantastic line-up of security talks covering a variety of interesting topics and new research. IOActive subject matter experts will be on hand during our program and throughout the week to discuss security techniques and trends from the hacker’s perspective, which is at the heart of our client services.”

The IOAsis Las Vegas 2017 schedule includes:

Wednesday, July 26

10:00 a.m. Doors Open

10:20 a.m. – 11:10 a.m. Security Talk
Heavy Trucks and Electronic Logging Devices: What Could Go Wrong?
Presented by: Corey Thuen, Senior Security Consultant for IOActive

Each day, the U.S. transportation system moves 55 million tons of freight valued at $49.3 billion. As part of the effort to monitor, maintain, and automate this part of our critical infrastructure, federal mandates require Electronic Logging Devices (ELD) in heavy trucks. The ELD mandate significantly increases the attack surface of these insecure heavy vehicles.

This talk shares vulnerability assessment research we conducted against five different ELDs that were available over the counter at big box distributors. What we found could allow an attacker to pivot through the device and into the vehicle where the consequences could be disastrous.

11:30 a.m. – 12:20 p.m. Security Talk
The Under-Engineered Hack: Why Most Attacks on ICS Fail, and How to Get It Right
Presented by: Bryan Singer, Director, Industrial Cybersecurity Services for IOActive

Attackers continue to target critical infrastructure with the intent of disrupting operations and causing physical damage. However, even as ICS attacks increase, many engineers still dismiss ICS threats because critical infrastructure systems rely on engineered layers of protection. Unfortunately, these protections are designed with an engineering mindset, not a cybersecurity mindset, leaving the systems vulnerable to cyberattack.

Bryan Singer will present an emerging model that demonstrates how engineering and cybersecurity attacks can successfully manipulate, compromise, and damage infrastructure. Practical advice and actionable steps to address ICS vulnerabilities, detect intrusions early, and create more resilient systems will also be provided.

1:50 p.m. – 2:40 p.m. Security Talk
IOActive Labs: Breaking Embedded Devices
Presented by: Thomas Kilbride, Embedded Security Consultant for IOActive, Joshua Hammond, Senior Security Consultant for IOActive, and Dan Schaffner, Director of Services for IOActive

See discreet examples of recent research and learn more about IOActive’s lab facilities.

ATM Security: Challenge Accepted
IOActive researchers acquired and reverse engineered an ATM whose manufacturer claimed a vulnerability would not allow an attacker to dispense bills. Find out what happened next.

Breaking a Popular Motorized Scooter
IOActive researchers uncovered critical vulnerabilities in a line of scooters. Using reverse engineering and forensic techniques, the team determined that an attacker could bypass the scooter’s safety system remotely. We will share the process the team followed to discover these flaws, as well as details of the exploit.

3:00 p.m. – 3:50 p.m. Security Talk
Using the iSCSI Protocol to Harvest Unprotected Hard Drives
Presented by: Lucas Lundgren, Senior Security Consultant for IOActive

Our recent Shodan scan found 100,000 hard drives available for the taking. We found warez, passports (yes!), highly confidential documentation, server disks with web applications, company backups, and financial records. What is this magic? It’s iSCSI, SCSI emulation over the internet. Like the world isn’t already a bad place.

6:00 p.m. – 9:00 p.m.
IOAsis Happy Hour, featuring Jason Whitmore, DJ ALLY & DJ F3R

Thursday, July 27th
10:00 a.m. – 6:00 p.m.
IOActive IOAsis – Food, beverages, massages, networking and more all day long.

About IOActive
IOActive is the industry’s only research-driven, high-end information security services firm with a proven history of better securing our customers through real-world scenarios created by our security experts. Our world-renowned consulting and research teams deliver a portfolio of specialist security services ranging from penetration testing and application code assessment to chip reverse engineering across multiple industries. IOActive is the only security services firm that has a dedicated practice focusing on Smart Cities and the transportation and technology that connects them. Global 500 companies across every industry continue to trust IOActive with their most critical and sensitive security issues. Founded in 1998, IOActive is headquartered in Seattle, US, with global operations through the Americas, EMEA, and Asia Pac regions. Visit www.ioactive.com for more information. Follow IOActive on Twitter: http://twitter.com/ioactive.