Vehicle security researcher Charlie Miller joins IOActive Advisory Board

Seattle, USA — December 17, 2014 – IOActive, Inc., the leading global provider of hardware, software, and wetware security services, announced it is expanding its Vehicle Security Service practice today. The practice – backed by years of cutting edge research from IOActive Labs – will deliver cyber security strategies and risk mitigation countermeasures to vehicle manufacturers and Original Equipment Manufacturers (OEMs). IOActive has also invested in a garage within its state-of-the-art hardware lab, designed specifically for researching vehicle and transportation security. (more…)

In his presentation, Ariel Sanchez will give a current, global view of the state of mobile banking app security. Early this year, Ariel performed research on 40 mobile banking apps from the 60 most influential banks in the world. Ariel will share the results of his research, show the apps’ most common flaws, and explain how an attacker can exploit them to compromise sensitive information. He will also discuss how apps can be tested and protected against potential threats.

About Ariel Sanchez
As Senior Security Consultant for IOActive, Ariel Sanchez is experienced in testing web applications and network infrastructure—building upon his information technology and technical support background. He currently applies that knowledge to application and network penetration tests, and vulnerability assessments as he identifies system vulnerabilities for IOActive’s clients in such industries as software development, telecommunications, financial services, aviation, and retail.

About M3AAWG 
M³AAWG meetings, which are open to members only, are multiple-track events held three times a year and generally attended by 200 to 300 participants. Leading industry experts, researchers, and public policy officials address such diverse topics as bot mitigation practices, social networking abuse and pending legislation. Each three-day meeting is an exceptional opportunity to discuss the latest in messaging security with other professionals in a focused environment of working sessions and educational panels.

About IOActive
IOActive is a comprehensive, high-end information security services firm with a long and established track record in delivering elite security services to its customers. Our world-renowned consulting and research teams deliver a portfolio of specialist security services ranging from penetration testing and application code assessment to chip reverse engineering. Global 500 companies across every industry continue to trust IOActive with their most critical and sensitive security issues. Founded in 1998, IOActive is headquartered in Seattle, USA, with global operations through the Americas, EMEA, and Asia Pac regions. Visit www.ioactive.com for more information.  Follow IOActive on Twitter: http://twitter.com/ioactive.

###

Feeling social?
IOActive in LinkedIn
IOActive on Facebook
IOActive on YouTube
IOActive on Crunchbase
IOActive on Github

Company continues to break new boundaries

Seattle, USA ― July 30, 2014 ― IOActive, Inc., the leading global provider of hardware, software, and wetware security services, announced today that the company will have six of its top researchers and consultants present their ground-breaking research at the annual Black Hat and DEF CON security conferences. In addition to the talks, the company will also have a tool showcased in the Arsenal section at Black Hat.

The IOActive team will present a total of seven talks at the two events, which take place in Las Vegas during the first week of August.

“Every year the team at IOActive breaks new boundaries with their research, taking information security to the next level and keeping us focussed on tomorrow’s threats,” said Jennifer Steffens, chief executive officer for IOActive. “This year the team raises the bar once again as they develop new exploitation techniques and explore new ways of securing technologies that have an impact on a global scale.”

IOActive has a long history of delivering industry-defining security research at Black Hat and DEF CON. This year IOActive’s team will break new ground in automotive attack surfaces, miniaturisation, SATCOM terminal vulnerabilities, traffic control systems, Windows kernel graphics, and Windows page table shellcode.

In recent years, the company has given progressive presentations covering the latest vulnerabilities associated with automobiles and wireless for Industrial Automation and Control Systems (IACS). These talks have also covered a broad range of other subjects including: RFID access control limitations, critical flaws in global DNS infrastructure, Smart Meter worms, jackpotting ATMs, and breaking semiconductors.

Overview of Briefings at Black Hat

• A Survey of Remote Automotive Attack Surfaces
  By Chris Valasek, director of vehicle security research for IOActive and Charlie Miller, security engineer for Twitter
  August 6, 2014 at 11:45Automotive security concerns have gone from the fringe to the mainstream, with security researchers showing the susceptibility of the modern vehicle to local and remote attacks. A malicious attacker leveraging a remote vulnerability could do anything from enabling a microphone for eavesdropping to turning the steering wheel to disabling the brakes. Unfortunately, research has only been presented on three or four particular vehicles. Each manufacturer designs their fleets differently; therefore, analysis of remote threats must avoid generalities.This talk takes a step back and examines the automotive network of a large number of different manufacturers. From this larger dataset, we can begin to answer questions like: Are some cars more secure from remote compromise than others? Has automotive network security changed for the better (or worse) in the last five years? What does the future of automotive security hold? How can we protect our vehicles from attack moving forward?

• Windows Kernel Graphics Driver Attack Surface
  By Ilja van Sprundel, director of penetration testing for IOActive
  August 6, 2014 at 11:45Ever wondered about the attack surface of graphics drivers on Windows? Are they similar to other drivers? Do they expose ioctl’s? In this talk from Ilja, all those questions will be answered and more. Whether you’re a security researcher, a developer looking for some security guidance when writing these drivers, or just generally curious about driver internals, there’s something here for you. The research presented focuses both on C/C++ code, when available, as well as reverse engineering of these drivers.

• Miniaturisation
  By Jason Larsen, principal security consultant for IOActive
  August 7, 2014 at 14:15Too often researchers ignore the hard parts of SCADA hacking. Too many presentations could be described as “I got past the SCADA firewall so I win!!!” Little information is available on what to do after the attacker gains control of the process. Consider the scenario where you control of a paint factory. Now what? The answer to that question is often specific to the process, but there are a number of generic techniques that can be discussed. Often, designing an attack leads to interesting hacking and computer science challenges.Miniaturization is one of those problems. Suppose an attacker wanted to hide in a PLC. Suppose he wanted to hide all the way down in a pressure sensor. Is such a thing possible? The attack must be miniaturized to fit within the constraints of the embedded device and may need to be miniaturized into just a few kilobytes of memory. This is an interesting problem.The sensor has only a few kilobytes of memory and the attacker has a number of tasks to perform. During the attack he must spoof the original process to keep the operator happy. He must estimate the state of the physical process by extracting artifacts from noisy sensor signals. He must also process those artifacts to extract the necessary constants to perform an attack.In order to keep the presentation real and understandable, Jason will walk through setting up an optimal pressure transient in a chemical piping system (commonly referred to as a water hammer). A set of novel algorithms will be described that would allow someone to pull off such an attack. A variant of “runs analysis” taken from statistics will be used to produce nearly perfect sensor noise without a previous look at the sensor. An algorithm derived from 3D graphics will be used to extract artifacts from noisy sensor data. Finally scale-free geometry matching techniques will be used to process the artifacts into the time constants needed to pull off an attack.

• SATCOM Terminals: Hacking by Air, Sea, and Land
  By Ruben Santamarta, principal security consultant for IOActive
  August 7, 2014 at 15:30Satellite Communications (SATCOM) play a vital role in the global telecommunications system. We live in a world where data is constantly flowing. It is clear that those who control communications traffic have a distinct advantage. The ability to disrupt, inspect, modify, or re-route traffic provides an invaluable opportunity to carry out attacks.SATCOM infrastructure can be divided into two major segments, space and ground. Space includes those elements needed to deploy, maintain, track, and control a satellite. Ground includes the infrastructure required to access a satellite repeater from Earth station terminals.IOActive found that 100% of the devices in scope could be abused. The vulnerabilities uncovered included multiple backdoors, hardcoded credentials, undocumented and/or insecure protocols or weak encryption algorithms. These vulnerabilities allow remote, unauthenticated attackers to fully compromise the affected products. In certain cases no user interaction is required to exploit the vulnerability, just sending a simple SMS or specially crafted message from one ship to another ship can do it.This presentation from Ruben will show all the technical details, mainly based on static firmware analysis via reverse engineering, also including a live demo against two of these systems.Ships, aircraft, military personnel, emergency services, media services, and industrial facilities (oil rigs, gas pipelines, water treatment plants, wind turbines, substations, etc.) could all be impacted by these vulnerabilities.

Overview of Arsenal at Black Hat

• Melkor – an ELF File Format Fuzzer
  By Alejandro Hernandez, senior security consultant for IOActive
  August 7, 2014 at 10:00Since its adoption as the standard binary file format for *nix systems, a variety of vulnerabilities in ELF parsers have been found and exploited in OS kernels, debuggers, libraries, etc. Most of these flaws have been found manually through code review and binary modification. Nowadays, 15 years later, common programming mistakes are still being implemented in many ELF parsers that are being released these days very often, either as debuggers, reverse engineering tools, AV analysers, plugins or as malware (yes, malware has parsers too). Here’s where ELF file format fuzzing comes into the game to help you to identify these bugs in an automated fashion.In this presentation, Alejandro will show you the security risks involved in the ELF parsing process as well as the materialisation of such risks by showing different bugs found during this research. After that, he’ll explain how intelligent file format fuzzing can help greatly in the flaw discovery process. Having a good background about the ELF file format and how smart fuzzing could help, he’ll continue with a detailed explanation on how he mixed and implemented both concepts in Melkor – an ELF file format fuzzer.Melkor, written in C, it’s an intuitive and easy-to-use ELF file format fuzzer. Its fuzzing rules were designed using three inputs: ELF specification violations, programming patterns seen in ELF parsers, and other misc ideas and considerations. In order to have higher code/branch coverage in the programs to be tested, certain metadata dependencies must be in place; Alejandro will show you how Melkor implements these rules when creating malformed ELF files.In the end of the presentation, the code of Melkor will be released and Alejandro will show you how to use it with some live demos where some real-world applications will be tested against fuzzed ELF files.

Overview of Briefings at DEF CON

• Hacking US (and UK, Australia, France, etc.) Traffic Control Systems
  By Cesar Cerrudo, chief technology officer for IOActive Labs
  August 8, 2014 at 13:00Cesar recently conducted research involving devices used by traffic control systems in important cities around the world, including the US, UK, France, Australia, and China. The end result, he was able to hack into and exploit these devices.In this presentation, Cesar will tell the whole story: how the devices were acquired, the research and onsite tests he conducted, the vulnerabilities he discovered, and how they can be exploited. Cesar will conclude his presentation with demonstrations of cyberwar-style attacks against the vulnerable devices.

• A Survey of Remote Automotive Attack Surfaces
  By Chris Valasek, director of vehicle security research for IOActive and Charlie Miller, security engineer for Twitter
  August 9, 2014 at 15:00Automotive security concerns have gone from the fringe to the mainstream with security researchers showing the susceptibility of the modern vehicle to local and remote attacks. A malicious attacker leveraging a remote vulnerability could do anything from enabling a microphone for eavesdropping to turning the steering wheel to disabling the brakes. Unfortunately, research has only been presented on three or four particular vehicles. Each manufacturer designs their fleets differently; therefore analysis of remote threats must avoid generalities.This talk takes a step back and examines the automotive network of a large number of different manufacturers. From this larger dataset, we can begin to answer questions like: Are some cars more secure from remote compromise than others? Has automotive network security changed for the better (or worse) in the last five years? What does the future of automotive security hold? How can we protect our vehicles from attack moving forward?

• Weird-machine Motivated Practical Page Table Shellcode, and Finding Out What’s Running on Your System
  By Shane Macaulay, director of cloud services for IOActive
  August 10, 2014 at 13:00Shane will provide an overview of a brand new detection technique (and tool) for AMD64 systems that will detect any hidden process.  A large class of rootkit type malware can now conclusively be detected.  Also the current Windows based detection (of these process hiding or DKOM type rootkits) is applicable cross platform and will be ported to Linux, FreeBSD and others. The rootkit is dead!Windows7, Server 2008R2, and earlier kernels contain significant executable regions available for abuse. These regions are great hiding places and more. For example, using PTE shellcode from ring3 to induce code into ring0 and hiding rootkits with encoded and decoded page table entries.This session will also show you how to walk a page table, why Windows8 makes life easier, what to look for and how to obtain a comprehensive understanding of what possible code is hiding/running on your computer.Shane will conclude the presentation by providing insight on using VM’s to fully describe/understand any possible code running on a Windows system.

IOAsis Vegas
IOActive will host its annual IOAsis Vegas tradeshow sanctuary at the Four Seasons hotel from August 6–7. The IOAsis provides a unique opportunity to have in depth discussions with IOActive’s top researchers and view hands-on demos of upcoming IOActive Labs research. To RSVP visit: http://ioasislasvegas.eventbrite.com/?aff=PRIOASIS

About IOActive
IOActive is a comprehensive, high-end information security services firm with a long and established track record in delivering elite security services to its customers. Our world-renowned consulting and research teams deliver a portfolio of specialist security services ranging from penetration testing and application code assessment to chip reverse engineering. Global 500 companies across every industry continue to trust IOActive with their most critical and sensitive security issues. Founded in 1998, IOActive is headquartered in Seattle, USA, with global operations through the Americas, EMEA, and Asia Pac regions.

-###-

Bradford Hegrat and Jason Larsen to fuel new growth

Seattle, USA ― July 22, 2014 ― IOActive, Inc., the leading global provider of hardware, software, and wetware security services, announced today that Bradford Hegrat has joined the company as industrial services director, and that Jason Larsen has joined the company as a principal security consultant.

(more…)

Companies selected for the “Cool Vendor” report for being innovative, impactful and intriguing

Seattle, WA ― June 13, 2014 ― IOActive, Inc., the leading global provider of hardware, software and wetware security services, announced today that it has been included in the list of “Cool Vendors” in the Cool Vendors for Managing OT in a Digital Business, 2014 report by Gartner, Inc.

“We are delighted with our inclusion in Gartner’s Cool Vendor report, and believe it’s a validation of our strategy to encourage our staff to think big regarding their research projects. As a result, our ground-breaking research, combined with our extensive experience in delivering high-end consulting services across a broad range of industries has earned us the reputation as trusted advisors to the Global 1000,” stated Jennifer Steffens, chief executive officer for IOActive.

IOActive delivers a portfolio of specialist security services ranging from penetration testing and application code assessment through to semiconductor reverse engineering. With expertise far beyond off-the-shelf tools, IOActive conducts in-depth analysis of information systems, software/hardware architecture, and source code using leading information risk management security frameworks and carefully focused threat models.

Each year, Gartner identifies new Cool Vendors in key technology areas and publishes a series of research reports highlighting the products and services that make these vendors noteworthy. For more information, view the Gartner report (a Gartner subscription is required).

About IOActive
IOActive is a comprehensive, high-end information security services firm with a long and established track record in delivering elite security services to its customers. Our world-renowned consulting and research teams deliver a portfolio of specialist security services ranging from penetration testing and application code assessment to chip reverse engineering. Global 500 companies across every industry continue to trust IOActive with their most critical and sensitive security issues. Founded in 1998, IOActive is headquartered in Seattle, USA, with global operations through the Americas, EMEA, and Asia Pac regions. Follow IOActive on Twitter: http://twitter.com/ioactive.

Disclaimer
Gartner does not endorse any vendor, product or service depicted in our research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

^[1] Gartner “Cool Vendors for Managing OT in a Digital Business, 2014” by Kristian Steenstrup, Earl Perkins, Alfonso Velosa, April 22, 2014

###

Feeling social?
IOActive in LinkedIn
IOActive on Facebook
IOActive on YouTube
IOActive on Crunchbase
IOActive on Github

Popular home automation devices are wide open to attackers

Seattle, US ― February 18, 2014 ― IOActive, Inc., the leading global provider of specialist information security services, announced today that it has uncovered multiple vulnerabilities in Belkin WeMo Home Automation devices that could affect over half a million users. Belkin’s WeMo uses Wi-Fi and the mobile Internet to control home electronics anywhere in the world directly from the user’s smartphone.

Mike Davis, IOActive’s principal research scientist, uncovered multiple vulnerabilities in the WeMo product set that gives attackers the ability to:

• Remotely control WeMo Home Automation attached devices over the Internet
• Perform malicious firmware updates
• Remotely monitor the devices (in some cases)
• Access an internal home network

Davis said, “As we connect our homes to the Internet, it is increasingly important for Internet-of-Things device vendors to ensure that reasonable security methodologies are adopted early in product development cycles. This mitigates their customer’s exposure and reduces risk.  Another concern is that the WeMo devices use motion sensors, which can be used by an attacker to remotely monitor occupancy within the home.”

The Impact
The vulnerabilities found within the Belkin WeMo devices expose users to several potentially costly threats, from home fires with possible tragic consequences down to the simple waste of electricity. The reason for this is that, after attackers compromise the WeMo devices, they can be used to remotely turn attached devices on and off at any time. Given the number of WeMo devices in use, it is highly likely that many of the attached appliances and devices will be unattended, thus increasing the threat posed by these vulnerabilities.

Additionally, once an attacker has established a connection to a WeMo device within a victims network; the device can be used as a foothold to attack other devices such as laptops, mobile phones, and attached network file storage.

The Vulnerabilities
The Belkin WeMo firmware images that are used to update the devices are signed with public key encryption to protect against unauthorised modifications. However, the signing key and password are leaked on the firmware that is already installed on the devices. This allows attackers to use the same signing key and password to sign their own malicious firmware and bypass security checks during the firmware update process.

Additionally, Belkin WeMo devices do not validate Secure Socket Layer (SSL) certificates preventing them from validating communications with Belkin’s cloud service including the firmware update RSS feed. This allows attackers to use any SSL certificate to impersonate Belkin’s cloud services and push malicious firmware updates and capture credentials at the same time. Due to the cloud integration, the firmware update is pushed to the victim’s home regardless of which paired device receives the update notification or its physical location.

The Internet communication infrastructure used to communicate Belkin WeMo devices is based on an abused protocol that was designed for use by Voice over Internet Protocol (VoIP) services to bypass firewall or NAT restrictions. It does this in a way that compromises all WeMo devices security by creating a virtual WeMo darknet where all WeMo devices can be connected to directly; and, with some limited guessing of a ‘secret number’, controlled even without the firmware update attack.

The Belkin WeMo server application programming interface (API) was also found to be vulnerable to an XML inclusion vulnerability, which would allow attackers to compromise all WeMo devices.

Advisory
IOActive feels very strongly about responsible disclosure and as such worked closely with CERT on the vulnerabilities that were discovered. CERT, which will be publishing its own advisory today, made several attempts to contact Belkin about the issues, however, Belkin was unresponsive.

Due to Belkin not producing any fixes for the issues discussed, IOActive felt it important to release an advisory and recommends unplugging all devices from the affected WeMo products.

IOActive Labs released its own advisory outlining the affected products, the impact, and the solution.

At IOAsis, which is being held alongside the RSA Conference next week, IOActive experts will be on hand to discuss best practices on how users and manufacturers can better protect themselves against these types of vulnerabilities.

Notes
^1. Belkin WeMo app download data collected from XYO  (iOS) and http://xyo.net/android-app/wemo-JJUZgf8/ (Android)
^2. Home Fires http://www.ready.gov/home-fires and https://www.gov.uk/firekills

About IOActive
IOActive is a comprehensive, high-end information security services firm with a long and established pedigree in delivering elite security services to its customers. Our world-renowned consulting and research teams deliver a portfolio of specialist security services ranging from penetration testing and application code assessment through to semiconductor reverse engineering. Global 500 companies across every industry continue to trust IOActive with their most critical and sensitive security issues. Founded in 1998, IOActive is headquartered in Seattle, USA, with global operations through the Americas, EMEA and Asia Pac regions. Visit www.ioactive.com for more information. Follow IOActive on Twitter: http://twitter.com/ioactive.

-###-

London, UK ― February 5, 2014 ― IOActive, Inc., the leading global provider of specialist information security services, announced today that Wim Remes, managing consultant for IOActive, has been elected as Chairman of the (ISC)² Board of Directors. (ISC)² is the largest not-for-profit membership body for certified information and software security professionals in the world.

“Having Wim elected as Chairman for (ISC)² is a tremendous honour,” said Jennifer Steffens, chief executive officer for IOActive. “Wim will be a great leader for the organisation and will continue to help elevate its profile to a wider audience. We fully support his new role as Chair and encourage those who aspire to work in the security industry to engage more with the team at (ISC)².”

As chairman, Wim is tasked with furthering the member-focussed strategy adopted in 2012. Together with the board Wim will enable (ISC)² members to share knowledge and experience through (ISC)² platforms and regional events.

“It is an honour to be elected to this position and I look forward to work with the (ISC)² management and the board to serve the organisation’s membership, continuing the work of the previous Chairman Freddy Tan,” said Wim Remes. “Apart from the well-known certifications, I’m particularly passionate about supporting and developing the (ISC)² Foundation, which is responsible for the ‘Safe and Secure Online’ programme, a programme that informs young students about safe online behaviour, and awards scholarships to promising cybersecurity students. Being at the forefront of developing the next generation of information security professionals is as humbling as it is rewarding.”

About Wim Remes
As a managing consultant at IOActive, Wim Remes leverages his 15 years of security leadership experience to advise clients on reducing their risk posture by solving complex security problems and building resiliency into their organisations. Wim delivers expert guidance on reducing the high cost of IT security failures, both financially and in terms of brand reputation. Wim has deep expertise in network security, identity management, policy design, risk assessment, and penetration testing. Before joining the IOActive team, Wim was a Manager of Information Security for Ernst and Young and a Security Consultant for Bull, where he gained valuable experience building security programs for enterprise-class clients.

About IOActive
IOActive is a comprehensive, high-end information security services firm with a long and established pedigree in delivering elite security services to its customers. Our world-renowned consulting and research teams deliver a portfolio of specialist security services ranging from penetration testing and application code assessment through to semiconductor reverse engineering. Global 500 companies across every industry continue to trust IOActive with their most critical and sensitive security issues. Founded in 1998, IOActive is headquartered in Seattle, Washington, with operations in North and South America, and Europe. Visit www.ioactive.com for more information. Follow IOActive on Twitter: http://twitter.com/ioactive.

###

Feeling social?
IOActive in LinkedIn
IOActive on Facebook
IOActive on YouTube
IOActive on Crunchbase
IOActive on Github

Siemens rapid, proactive response ensures timely delivery of firmware patch

Seattle, US ― January 9, 2014 ― IOActive, Inc., the leading global provider of specialist information security services, announced today that it has uncovered multiple vulnerabilities in Siemens’ SCALANCE X-200 Switch Family. These Ethernet switches are used to connect to Industrial Control Systems (ICS) components like Programmable Logic Controllers (PLCs) and Human Machine Interfaces (HMIs). The switches enable remote diagnostics and simplified configuration through a common web browser.

Senior security consultant for IOActive, Eireann Leverett, discovered two vulnerabilities in the switches. Both vulnerabilities were discovered in the web server authentication of the product. The first vulnerability could allow an attacker to perform administrative operations over the network without authentication, gaining access to critical services. The second vulnerability could allow an attacker to hijack web sessions over the network without authentication.

“Siemens ProductCERT were professional, courteous, and did not adopt an adversarial attitude when I contacted them about the vulnerabilities. Consequently, we were able to clarify the vulnerabilities quickly, and they produced a patch within three months,” said Leverett. “I challenge other ICS vendors to match this timeline for security patching in the future.”

Speedy Response
As soon as IOActive notified the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) of the vulnerabilities, Siemens ProductCERT wasted little time resolving the issue.

Leverett added, “The speed at which Siemens ProductCERT responded to the notification of these two vulnerabilities is something to be applauded. IOActive has always pushed vendors to respond when they receive notifications on vulnerabilities in their products. Siemens is the perfect example of how companies should respond when addressing these issues.”

Siemens ProductCERT is a team dedicated to accepting and handling security issues and vulnerabilities within their products. They co-ordinate with external and internal security researchers and work closely with the company’s product teams to develop fixes. ProductCERT publish the fixes as soon as they have been tested and credits the researchers who discovered the issues. The very existence of this team illustrates Siemens serious commitment to handling security issues smoothly and quickly.

Siemens has addressed both issues by providing a firmware update for the affected products.

In Action
Eireann Leverett will be demonstrating the vulnerabilities and releasing code for asset owners to check their devices at next week’s S4 conference in Miami. For more information on the event and Eireann’s presentation, please visit:  http://www.digitalbond.com/s4/.

About IOActive
IOActive is a comprehensive, high-end information security services firm with a long and established pedigree in delivering elite security services to its customers. Our world-renowned consulting and research teams deliver a portfolio of specialist security services ranging from penetration testing and application code assessment through to semiconductor reverse engineering. Global 500 companies across every industry continue to trust IOActive with their most critical and sensitive security issues. Founded in 1998, IOActive is headquartered in Seattle, Washington, with operations in North and South America, and Europe. Visit www.ioactive.com for more information. Follow IOActive on Twitter: http://twitter.com/ioactive.

-###-

Seattle, US ― October 23, 2013 ― IOActive, Inc., the leading global provider of specialist information security services, today announced that it has discovered a vulnerability in ProSoft Technology’s RadioLinx ControlScape application. The software is primarily used with Rockwell Automation and Schneider Electric solutions, and is deployed worldwide across several industries including oil and gas, water and wastewater, and electric utilities.

World authorities on Industrial Control Systems (ICS), Lucas Apa and Carlos Penagos, discovered the vulnerability in the industrial automation software. The software is used to configure and install radios in a Frequency Hoping (FH) network, as well as monitor the performance of the devices.

The software from ProSoft Technology generates a random passphrase and sets encryption levels to 128-bit Advanced Encryption Standard (AES) when it creates a new radio network. As the software uses the local time as the seed to generate passphrases, an attacker could predict the default values built into the software. This makes the system vulnerable to expedited brute-force passphrase/password attacks and other cryptographic based attacks.

“Wireless radios used in Industrial Control Systems use software, like that from ProSoft Technology, to create and manage a new network. When a new network is created the software calculates a passphrase using a pseudorandom number generator,” said Lucas Apa, security researcher for IOActive. “The problem is that it uses the local time as the seed. This makes this algorithm predictable and weak, and vulnerable to expedited brute-force passphrase and other cryptographic-based attacks.”

Carlos Penagos, security researcher for IOActive added, “By being able to guess the passphrase, an attacker could communicate with the network the device is connected to with devastating consequences. For example, if an attacker is able to communicate with devices on the wireless network of a nuclear power plant, he could manipulate the data sent from these devices to industrial processes and cause dangerous consequences by overheating liquids or over pressurizing chemicals, which in turn would result in catastrophic failure.”

On September 5, 2013, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) published an advisory providing details of the vulnerability. ProSoft Technology has produced a new firmware patch to mitigate this vulnerability.

IOActive has also issued its own IOActive Labs Advisory outlining the affected products, the impact and the solution.

About IOActive
IOActive is a comprehensive, high-end information security services firm with a long and established pedigree in delivering elite security services to its customers. Our world-renowned consulting and research teams deliver a portfolio of specialist security services ranging from penetration testing and application code assessment through to semiconductor reverse engineering. Global 500 companies across every industry continue to trust IOActive with their most critical and sensitive security issues. Founded in 1998, IOActive is headquartered in Seattle, USA, with global operations through the Americas, EMEA and Asia Pac regions. Visit www.ioactive.com for more information.

-###-

Seattle, USA ― September 19, 2013 ― IOActive, Inc., the leading global provider of specialist information security services, today announced that the company is ramping up its recruitment in South America, and will have three of its top security researchers present their acclaimed research next week at Ekoparty – South America’s largest IT security conference.

“Following our acquisition of Argeniss Security in 2011, we have seen our presence in this rapidly developing region grow from strength to strength. We are now also seeing an increased demand amongst Global 500 companies to have a global delivery framework delivered via a local presence. This has presented us with a fantastic opportunity to recruit more talented security researchers and consultants in this exciting region,” said Jennifer Steffens, chief executive officer for IOActive. “The schooling systems in many South American countries are producing highly skilled graduates and are a rich source of new talent to IOActive, capable of delivering expertise at a global level.”

IOActive established itself in Argentina two and half years ago following the acquisition of Argeniss Security and today has staff based throughout South America. With the growing trend amongst Global 500 organisations negotiating contracts at a global level but requiring execution with local teams, the need has arisen for IOActive to recruit more talented staff into the region.

Over the past few months, IOActive’s growth can be seen with the opening of their new South African office providing the company with the opportunity to expand its delivery capability in sub-Sahara Africa. Additionally, last week the company announced it was opening its new premises in central London, a more spacious venue for engaging with customers and members of the security community.

Ekoparty

To celebrate their time in South America, IOActive will be taking part in the largest IT security conference in the region – Ekoparty. As an event sponsor, IOActive will be using the event to showcase itself to new customers and potential recruits. The company will also have three of its renowned researchers presenting their findings and it will also be sponsoring the event.

At Ekoparty, Chris Valasek, director of security intelligence for IOActive, and famed car hacking researcher, will present his new research titled ’String Allocations in Internet Explorer’. In addition to this, world authorities on Industrial Control Systems(ICS), Lucas Apa and Carlos Penagos will present their acclaimed research titled ’Compromising Industrial Facilities From 40 Miles Away’.

Here is an overview of IOActive’s presentations at the event:

• Chris Valasek – String Allocations in Internet Explorer
  In his presentation, Valasek will focus on how the allocation of memory, specifically user_controlled strings, has played a major role in browser exploitation, especially with regards to heap spraying. The underlying knowledge of JavaScript string allocations was widespread for Internet Explorer 6 through 7. However, while heap spray attacks adapted to changes in Internet Explorer 8 through 9, public foundational knowledge did not keep pace. Finally, the presentation will cover the brief history of string allocations from Internet Explorer 6 to Internet Explorer 8 and explore current memory management methods for Internet Explorer 9. It will conclude with a look at how newly acquired knowledge can be useful for browser exploitation.
• Lucas Apa and Carlos Penagos – Compromising Industrial Facilities From 40 Miles Away
  Having uncovered multiple critical vulnerabilities in wireless technologies used extensively in the ICS world, this presentation will reveal the dangers of employing poorly implemented and vulnerable communication technologies in facilities that include inherently high profile targets for terrorists; where the price of an attack can be catastrophic. Utilities and Asset managers attending the event will be able to understand and appreciate what they can do to mitigate and protect against this new class of threat.

Ekoparty takes place in Buenos Aires, Argentina, from 25-27 September. IOActive is proud to be a Gold and VIP Dinner sponsor of the event. For more information on the event, please visit: http://www.ekoparty.org/.

About IOActive
IOActive is a comprehensive, high-end information security services firm with a long and established pedigree in delivering elite security services to its customers. Our world-renowned consulting and research teams deliver a portfolio of specialist security services ranging from penetration testing and application code assessment through to semiconductor reverse engineering. Global 500 companies across every industry continue to trust IOActive with their most critical and sensitive security issues. Founded in 1998, IOActive is headquartered in Seattle, USA, with global operations through the Americas, EMEA and Asia Pac regions. Visit www.ioactive.com for more information.

-###-