Category: COLLATERAL

COLLATERAL, RESEARCH | September 20, 2023

Commonalities in Vehicle Vulnerabilities | 2022 Decade Examination | Samantha Beaumont

With the connected car now commonplace in the market, automotive cybersecurity has become the vanguard of importance as it relates to road user safety. At the forefront of transportation cybersecurity research, IOActive has amassed over a decade of real-world vulnerability data illustrating the issues and potential solutions to cybersecurity threats today’s vehicles face.

This analysis is a major update and follow-up to IOActive’s paper on vehicle vulnerabilities originally published in 2016 and updated in 2018. The goal of this 2022 update is to deliver current data and discuss how the state of automotive cybersecurity has progressed over the course of 10 years, making note of overall trends and their causes. The target audience of this research is individuals seeking insights into the trends of automotive cybersecurity, and how to better address any causalities noted within this paper.

Some of the major technical findings from IOActive’s analysis:

  • There was a significant drop in the proportion of critical-impact vulnerabilities from 2016 to 2018. Critical-impact vulnerabilities decreased by 15%, causing the distribution of medium- and low-impact vulnerabilities to increase.
  • The industry saw significant growth in incorporating cybersecurity into the design of automotive systems from the start; for example, ensuring that processes that handle data run with limited privileges, which helps lower the impact of the most likely attacks in the event of a compromise.
  • There was an early warning observed in 2018 that the industry appears to be focusing on severity of ease-of-exploitation over actual risk.
  • A sharp decrease in physical attacks was reported, which was mainly due to industry attention focusing on remote-based attack vectors.
  • The trends observed between 2018 and 2022 are the complete opposite to what IOActive previously observed, which indicates a bounce-back effect. High-effort vulnerabilities have decreased by 6% and medium-effort have decreased by 11%, resulting in a major increase (17%) of low-hanging fruit issues.
get the vehicle security report
COLLATERAL | August 28, 2023

IOActive Silicon Security Services

Our silicon security team helps risk managers, product owners, designers, and cybersecurity professionals understand and manage the emerging risks of silicon-level and hardware-based supply chain attacks. 

IOActive has spent over two decades at the forefront of cybersecurity research and providing critical security services fueled by the research. As the security of systems (and systems of systems) increasingly depends upon proper hardware security design and implementation, we have invested in honing silicon-level attack techniques that complement the advanced expertise we have long developed in identifying the embedded-device, side-channel, and fault-injection attacks. 

Our silicon security services adds black-box and gray-box attacks to our commercial white-box work – which includes development of threat models at the microprocessor and SOC level – supporting clients in defining security design requirements, and performing register transfer level (RTL) and GDS partial layout reviews. 

get the silicon security datasheet
COLLATERAL, WHITEPAPER | August 8, 2023

Shuffle Up and Deal: Analyzing the Security of Automated Card Shufflers | Joseph Tartaro, Enrique Nissim, Ethan Shackelford

By Joseph Tartaro Enrique Nissim & Ethan Shackelford

Joseph Tartaro, Principal Security Consultant, Enrique Nissim, Principal Security Consultant, and Ethan Shackelford, Associate Principal Security Consultant, conducted a comprehensive analysis of the security aspects of ShuffleMaster’s Deck Mate 1 (DM1) and Deck Mate 2 (DM2) automated shuffler machines. Primarily used at poker tables, these machines are widely adopted by casinos and cardrooms and are commonly used in private games. While the primary objective of these devices is to enhance game speed by assisting dealers in shuffling, they also ensure security through various deck checks, and their control over the deck renders them highly desirable targets for attackers.

In this whitepaper, the team attempted to answer the following questions:

  • Is cheating possible if one of these hardware devices is compromised?
  • How feasible is it to perform such an attack?
  • What can be done to prevent and/or mitigate the risk of cheating?
  • How can players and gaming operators protect themselves from this kind of cheating?

It is worth noting that no signs of code from the manufacturer performing any malicious or hidden functions were found in either of the audited shufflers. Different groups across the internet have speculated that shufflers contain secret logic that Casinos and/or card rooms could leverage to cheat players or increase house edge. Having thoroughly reverse engineered the entire state machine of the original firmware for both shuffler models, we found no evidence whatsoever that this was the case.

get the whitepaper
COLLATERAL | April 7, 2021

Trivial Vulnerabilities, Big Risks

By Tiago Assumpcao & Robert Connolly

IOActive case study detailing the trivial vulnerabilities with big risks for the users of the Brazilian National Justice Council Processo Judicial Eletrônico (CNJ PJe) judicial data processing system.

COLLATERAL | April 22, 2020

IOActive Corporate Overview

Research-fueled Security Assessments and Advisory Services

IOActive has been at the forefront of cybersecurity and testing services since 1998. Backed by our award-winning research, our services have been trusted globally by enterprises and product manufacturers across a wide variety of industries and in the most complex of environments.

Tailored to meet each unique organization’s requirements, IOActive services offer deep expertise and insight from an attacker’s perspective. 

COLLATERAL | April 17, 2020

IOActive Red and Purple Team Service

Building Operational Resiliency Through Real-world Threat Emulation.

Who better to evaluate security effectiveness – compliance auditors or attackers? Vulnerability assessments and penetration tests are critical components of any effective security program, but the only real way to test your operational resiliency is from an attacker’s perspective.

Our red and purple teams bring you this insight through full threat emulation, comprehensively simulating a full range of specific attacks against your organization – cyber, social, and physical.
We can provide or advise on the creation of continuous, independent, and customized real-world attacker-emulation services that work with your blue team – your own security operations personnel – to prepare them to face the adversaries your enterprise is likeliest to encounter.

 

get the red/purple team services datasheet
COLLATERAL |

IOActive Services Overview

Security services for your business, situation, and risks.

With our breadth and depth of services offerings across more environments than any other firm today, we can deliver specific, high-value recommendations based on your business, unique situation, and the risk you face. We are a pure-play security services provider, offering services across the spectrum to include: cybersecurity advisory, full-stack security assessments, SDL, red/purple team and security team development (training) services.