RESOURCES

Thought leaders in information security, we conduct radical, world-changing research and deliver renowned presentations around the world.
Blogs | RESEARCH | November 2, 2022

Exploring the security configuration of AMD platforms

TLDR: We present a new tool for evaluating the security of AMD-based platforms and rediscover a long-forgotten vulnerability class that allowed us to fully compromise SMM in the Acer Swift 3 laptop (see Acer’s advisory). Introduction In the last decade, a lot of interesting research has been published around UEFI and System Management Mode (SMM) security. To provide a bit of background, SMM is the most privileged CPU mode on x86-based systems; it is sometimes referred to as ring -2 as it is more privileged than the…

IOActive Research
Library | WHITEPAPER | October 26, 2022

Remote Writing Trailer Air Brakes with RF | Guest Author, Ben Gardiner, NMFTA

Ben Gardiner, NMFTA, provides an in-depth freight security assessment of trailer databus vulnerabilities on freight trailers. Testing several tractor-trailers for the security properties of the trailer databus, J2497 aka PLC4TRUCKS. We were very interested in what diagnostic features were implemented in the trailer controllers using J1708/J1587 mechanisms and eventually found during the ‘Powermaster’ project that all trailer controllers and even some tractor controller did respond to the J1708 ‘data link escape’ means of executing proprietary diagnostics. Continuing from the ‘Powermaster’ project, which kicked off this remote reading research – what…

Blogs | GUEST BLOG |

Remote Writing Trailer Air Brakes with RF | Ben Gardiner, NMFTA

Over the course of a few years and a pandemic, we (AIS and NMFTA) tested several tractor-trailers for the security properties of the trailer databus, J2497 aka PLC4TRUCKS. What we discovered was that 1) this traffic could be read remotely with SDRs and active antennas but, more importantly, 2) that valid J2497 traffic could be induced on the trailer databus using SDRs, power amplifiers and simple antennas. In this blog post we will introduce you to some concepts and the discoveries overall – for the full technical details please get…

Blogs | RESEARCH | September 29, 2022

NFC Relay Attack on Tesla Model Y

Josep Pi Rodriguez, Principal Security Consultant, walks you through the proof-of-concept and technical details of exploitation for the NFC relay attack research on the newest Tesla vehicle, the Model Y. To successfully carry out the attack, IOActive reverse-engineered the NFC protocol Tesla uses between the NFC card and the vehicle, and we then created custom firmware modifications that allowed a Proxmark RDV4.0 device to relay NFC communications over Bluetooth/Wi-Fi using the Proxmark’s BlueShark module. It is known in the vehicle security industry that NFC relay attacks (as well as Radio…

Josep Pi Rodriguez
Library | WHITEPAPER | September 9, 2022

NFC Relay Attack on Tesla Model Y

Josep Pi Rodriguez, Principal Security Consultant, walks you through the proof-of-concept and technical details of exploitation for IOActive’s recent NFC relay attack research on the newest Tesla vehicle, the Model Y. To successfully carry out the attack, IOActive reverse-engineered the NFC protocol Tesla uses between the NFC card and the vehicle, and we then created custom firmware modifications that allowed a Proxmark RDV4.0 device to relay NFC communications over Bluetooth/Wi -Fi using the Proxmark’s BlueShark module. It’s well-known in the vehicle security industry that NFC relay attacks (as well as…

Launch PDF
Josep Pi Rodriguez
Library | PRESENTATION | August 17, 2022

Vulnerability and Patch Management: Every Day is a Zero Day

SC Media on-demand presentation | John Sheehy, SVP of Research and Strategy, participated as a panelist on the CyberRisk Alliance’s eSummit live broadcast.Patch management can be an especially precarious proposition when you’re operating in a work environment where machines and devices must constantly remain operational. Hospitals, factories and power plants are among the many examples of settings where security professionals need to “keep the lights on,” even as they strive to ensure that software and hardware are hardened against the latest vulnerabilities and exploits. The discussion focused on the…

Register to access
John Sheehy
Blogs | GUEST BLOG | June 14, 2022

The Battle of Good versus Evil: Regulations and Cybersecurity | Urban Jonson

We all recognize the importance of the DRS Organization Policy within a GCP Org, now we’d like to discuss Cross-Domain Sharing, or XDS as we are calling it. Do you know where your organization’s identities are being used externally? If not, we want to share details on the risks and how SADA can help assess your GCP org.

Blogs | EDITORIAL | May 13, 2022

Update on SATCOM Terminal Attacks During the War in Ukraine

In a prior post titled “Missed Calls for SATCOM Cybersecurity: SATCOM Terminal Cyberattacks Open the War in Ukraine,” I shared three hypotheses about the identity of the threat actor responsible for the SATCOM terminal attacks that opened the war.[1] On 31 March 2022, shortly after my post went live, other posts examining forensic evidence from the attack provided some of the additional information needed to support or reject these hypotheses. Open-Source Forensic Analysis Ruben Santamarta published a blog post titled “VIASAT Incident: From Speculation to Technical Details”…

John Sheehy
Library | WHITEPAPER | April 19, 2022

Reverse Engineering of DAL-A Certified Avionics: Collins’ Pro Line Fusion—AFD-3700

Ruben Santamarta, IOActive Security Researcher, presents a highly technical and detailed look into reverse engineering the DAL-A Certified Avionics: Collins’ Pro Line Fusion—AFD-3700. Modern avionic systems are designed according to the Integrated Modular Avionics concept. Under this paradigm, safety-certified avionic applications and non-critical airborne software share the same computing platform but are running at different partitions. In this context the underlying safety-critical certified RTOS provides the logical isolation, which should prevent unintended interactions between software with different criticalities. This paper provides a comprehensive analysis of the architecture and vulnerabilities found…

Launch PDF
Ruben Santamarta
Blogs | RESEARCH | April 5, 2022

Satellite (in)security: Vulnerability Analysis of Wideye SATCOM Terminals

Ethan Shackelford, IOActive Security Consultant, revisits the long-standing IOActive SATCOM security research with the introduction of the latest whitepaper detailing the original research into two SATCOM terminals manufactured by Addvalue Technologies, Ltd.: the Wideye iSavi and Wideye SABRE Ranger 5000. He further provides current insight to the numerous identified serious security vulnerabilities in both devices, including broken or backdoored authentication mechanisms, rudimentary data parsing errors allowing for complete device compromise over the network, completely inadequate firmware security, and sensitive information disclosure, including the leaking of terminal GPS…

Ethan Shackelford

Biometric Security: Facial Recognition Testing

IOActive has conducted extensive research and testing of facial recognition systems on commercial mobile devices. Our testing included setups for 2D- and 3D-based algorithms, including technologies using stereo IR cameras. Discovering the underlying algorithms to find setups to bypass them, then calculating the Spoof Acceptance Rate (SAR).

ACCESS THE WHITEPAPER


IOACTIVE CORPORATE OVERVIEW (PDF)IOACTIVE SERVICES OVERVIEW (PDF)


IOACTIVE ARCHIVED WEBINARS