Category: WHITEPAPER

COLLATERAL, WHITEPAPER | August 8, 2023

Shuffle Up and Deal: Analyzing the Security of Automated Card Shufflers | Joseph Tartaro, Enrique Nissim, Ethan Shackelford

By Joseph Tartaro Enrique Nissim & Ethan Shackelford

Joseph Tartaro, Principal Security Consultant, Enrique Nissim, Principal Security Consultant, and Ethan Shackelford, Associate Principal Security Consultant, conducted a comprehensive analysis of the security aspects of ShuffleMaster’s Deck Mate 1 (DM1) and Deck Mate 2 (DM2) automated shuffler machines. Primarily used at poker tables, these machines are widely adopted by casinos and cardrooms and are commonly used in private games. While the primary objective of these devices is to enhance game speed by assisting dealers in shuffling, they also ensure security through various deck checks, and their control over the deck renders them highly desirable targets for attackers.

In this whitepaper, the team attempted to answer the following questions:

  • Is cheating possible if one of these hardware devices is compromised?
  • How feasible is it to perform such an attack?
  • What can be done to prevent and/or mitigate the risk of cheating?
  • How can players and gaming operators protect themselves from this kind of cheating?

It is worth noting that no signs of code from the manufacturer performing any malicious or hidden functions were found in either of the audited shufflers. Different groups across the internet have speculated that shufflers contain secret logic that Casinos and/or card rooms could leverage to cheat players or increase house edge. Having thoroughly reverse engineered the entire state machine of the original firmware for both shuffler models, we found no evidence whatsoever that this was the case.

get the whitepaper
WHITEPAPER | June 13, 2023

Drone Security and Fault Injection Attacks | Gabriel Gonzalez

By Gabriel Gonzalez

Gabriel Gonzalez, IOActive Director of Hardware Security presents full technical detail of his research into drone security and side-channel/fault injection attacks in this whitepaper.

The use of Unmanned Aerial Vehicles (UAVs), commonly referred to as drones, continues to grow. Drones implement varying levels of security, with more advanced modules being resistant to typical embedded device attacks. IOActive’s interest is in developing one or more viable Fault Injection attacks against hardened UAVs.

This paper covers IOActive’s work in setting up a platform for launching side-channel and fault injection attacks using a commercially available UAV. We describe how we developed a threat model, selected a preliminary target, and prepared the components for attack, as well as discussing what we hoped to achieve and the final result of the project.

Get the Whitepaper
WHITEPAPER | April 19, 2022

Reverse Engineering of DAL-A Certified Avionics: Collins’ Pro Line Fusion—AFD-3700

By Ruben Santamarta

Ruben Santamarta, IOActive Security Researcher, presents a highly technical and detailed look into reverse engineering the DAL-A Certified Avionics: Collins’ Pro Line Fusion—AFD-3700.

Modern avionic systems are designed according to the Integrated Modular Avionics concept. Under this paradigm, safety-certified avionic applications and non-critical airborne software share the same computing platform but are running at different partitions. In this context the underlying safety-critical certified RTOS provides the logical isolation, which should prevent unintended interactions between software with different criticalities.

This paper provides a comprehensive analysis of the architecture and vulnerabilities found on the Adaptive Flight Display component of the Collins Aerospace’s Pro Line Fusion solution. This integrated avionics system, deployed both in military and commercial aircraft, is certified as DO-178B/C Design Assurance Level A.

Get the Whitepaper
WHITEPAPER | April 5, 2022

Cyberattacks on SATCOM: Understanding the Threat

By Ethan Shackelford

In 2014, Ruben Santamarta, Principal Security Consultant with IOActive, published a whitepaper titled “A Wake-up Call for SATCOM Security.” It detailed the discovery of an exceptionally weak security posture across a number of SATCOM terminals from a range of manufacturers. Four years later in 2018, Ruben published a follow up titled “Last Call for SATCOM Security” which detailed a thorough investigation into the security of SATCOM equipment across the Aviation, Maritime, and Military industries. In light of the cyberattacks at the start of the war in Ukraine, once again, the security posture was found to be overwhelmingly poor and in need of immediate and thorough corrective action by manufacturers.

Get the Whitepaper
WHITEPAPER | February 7, 2022

Facial Recognition Security Research

By Gabriel Gonzalez & Alejo Moles

IOActive, Inc. (IOActive) has conducted extensive research and testing of facial recognition systems on commercial mobile devices. Our testing lab includes testing setups for 2D- and 3D-based algorithms, including technologies using stereo IR cameras.

For each of the different technologies, we first try to understand the underlying algorithms and then come up with creative and innovative setups to bypass them. Once an unlock is achieved, we calculate the Spoof Acceptance Rate (SAR), as described in the Measuring Biometric Unlock Security” section of the Android Compatibility Definition Document.1 This metric allows us to compare different solutions and evaluate the strength of each solution.

This document describes IOActive’s results for commercially available mobile phones implementing face authentication mechanisms to unlock the device. All them relied on the “selfie-camera,” a single lens producing 2D RGB images. IOActive used 2D and 3D masks when attempting to bypass the security features.

Our comparison was based on a set of objectives bundled into five categories: Below the OS, Platform Update, Trusted Execution, Advanced Threat Protection, and Crypto Extension. Based on IOActive research, we conclude that AMD offers no corresponding technologies those categories while Intel offers features; Intel and AMD have equivalent capabilities in the Trusted Execution category.

Get the Whitepaper
View the Blog
WHITEPAPER | May 17, 2021

Cross-Platform Feature Comparison

By IOActive Research

For an Intel-commissioned study, IOActive compared security-related technologies from both the 11th Gen Intel Core vPro mobile processors and the AMD Ryzen PRO 4000 series mobile processors, as well as highlights from current academic research where applicable.

Our comparison was based on a set of objectives bundled into five categories: Below the OS, Platform Update, Trusted Execution, Advanced Threat Protection, and Crypto Extension. Based on IOActive research, we conclude that AMD offers no corresponding technologies those categories while Intel offers features; Intel and AMD have equivalent capabilities in the Trusted Execution category.

Launch the whitepaper
WHITEPAPER | February 10, 2020

LoRaWAN Networks Susceptible to Hacking: Common Cyber Security Problems, How to Detect and Prevent Them

By Cesar Cerrudo

LoRaWAN is fast becoming the most popular wireless, low-power WAN protocol. It is used around the world for smart cities, industrial IoT, smart homes, etc., with millions of devices already connected.

The LoRaWAN protocol is advertised as having “built-in encryption” making it “secure by default.” As a result, users are blindly trusting LoRaWAN networks and not paying attention to cyber security; however, implementation issues and weaknesses can make these networks easy to hack.

Currently, cyber security vulnerabilities in LoRaWAN networks are not well known, and there are no existing tools for testing LoRaWAN networks or for detecting cyber attacks, which makes LoRaWAN deployments an easy target for attackers.

In this paper, we describe LoRaWAN network cyber security vulnerabilities and possible cyber attacks, and provide useful techniques for detecting them with the help of our open-source tools.

Launch the whitepaper

WHITEPAPER | August 7, 2019

Arm IDA and Cross Check: Reversing the 787’s Core Network

By Ruben Santamarta

In 2008, the Dreamliner was presented as the world’s first e-Enabled commercial airplane. Boeing certainly introduced an impressive new set of functionalities, enabling the vast majority of the components to be highly integrated with and connected to regular systems, such as onboard maintenance, data-load, and the Crew Information System.

IOActive has documented our detailed attack paths and component vulnerabilities to describe the first plausible, detailed public attack paths to effectively reach the avionics network on a commercial airplane from either non-critical domains, such as Passenger Information and Entertainment Services, or even external networks. 

Get the White Paper
WHITEPAPER | September 25, 2018

Commonalities in Vehicle Vulnerabilities

By Josh Hammond

With the connected car becoming commonplace in the market, vehicle cybersecurity continues to grow more important every year. At the forefront of security research, IOActive has amassed real-world vulnerability data illustrating the general issues and potential solutions to the cybersecurity threats today’s vehicles face.

WHITEPAPER | August 10, 2018

Last Call for SATCOM Security

By Ruben Santamarta

Revisiting the original research by Ruben Santamarta ‘Wake Up Call for SATCOM Security‘ – this research update comprehensively details three real-world scenarios involving serious vulnerabilities that affect the aviation, maritime, and military industries. The vulnerabilities include backdoors, insecure protocols, and network misconfigurations.

This white paper elaborates the approach and technical details of these vulnerabilities, which could allow remote attackers, originated from the Internet, to take control of:

  • Airborne SATCOM equipment on in-flight commercial aircrafts
  • Earth Stations on Vessels, including Antennas
  • Earth Stations used by the US Military in conflict zones
Get the Whitepaper