RESOURCES

Thought leaders in information security, we conduct radical, world-changing research and deliver renowned presentations around the world.
Blogs | RESEARCH | February 20, 2019

Bypassing Chrome’s CSP with Link Preloading

In this post I’m going talk about a bug I found a while back in Google’s Chrome browser that allows attackers to bypass the Content Security Policy (CSP). Besides breaking the CSP, the bug also allows attackers a means to ex-filtrate information from inside an SSL/TLS connection. The bug was reported a couple of years back and we got word that the fix is in, so I decided to dust off this blog post and update it so you folks can learn about it. The CSP is a configuration setting…

Keith Makan
Disclosures | INSIGHTS | February 1, 2019

Synaptics TouchPad SynTP Driver Leaks Multiple Kernel Addresses

Synaptics TouchPad Windows driver leaks multiple kernel addresses and pointers to unprivileged user mode programs. This could be used by an attacker to bypass Windows Kernel Address Space Layout Randomization (KASLR). (CVE-2018-15532)

Launch PDF
Enrique Nissim
Library | INSIGHTS | October 17, 2018

Smart Cities: Cybersecurity Worries

Infodocument providing a visual exploration into the growing security concerns of smart city technologies. Featuring detail to the myriad technologies, problems, threats, possible targets, as well as current examples of cities having experienced attacks.

access the infodoc
Cesar Cerrudo
Library | WHITEPAPER | September 25, 2018

Commonalities in Vehicle Vulnerabilities

With the connected car becoming commonplace in the market, vehicle cybersecurity continues to grow more important every year. At the forefront of security research, IOActive has amassed real-world vulnerability data illustrating the general issues and potential solutions to the cybersecurity threats today’s vehicles face.

Access the PDF
Josh Hammond
Library | PRESENTATION | September 12, 2018

Reverse Engineering & Bug Hunting on KMDF Drivers

Enrique Nissim’s presentation from 44CON. September 12, 2018. The focus will be on finding bugs and not on exploitation. This will highlight interesting functions and how to find them. See MSDN and references for full details on KMDF.

view presentation
Enrique Nissim
Blogs | EDITORIAL | August 15, 2018

Secure Design? Help!

“So, Brook, in your last post you pointed to the necessity, underlined a requirement for “secure design”. But what does that mean, and how do I proceed?” It’s a fair question that I get asked regularly: How does one get security architecture started? Where can I learn more, and grow towards mastery? It used to be that the usual teaching method was to “shadow” (follow) a seasoned or master practitioner as she or he went about their daily duties. That’s how I learned (way back in the “Dark…

Brook S.E. Schoenfield
Library | WHITEPAPER | August 10, 2018

Last Call for SATCOM Security

This research comprehensively details three real-world scenarios involving serious vulnerabilities that affect the aviation, maritime, and military industries. The vulnerabilities include backdoors, insecure protocols, and network misconfigurations.

Access the PDF
Ruben Santamarta
Blogs | RESEARCH |

Breaking Extreme Networks WingOS: How to Own Millions of Devices Running on Aircrafts, Government, Smart Cities and More

On Sunday, August 12th at 11am PT, I will give a talk at DEF CON 26 explaining how several critical vulnerabilities were found in the embedded operating system WingOS. The talk is entitled, BreakingExtreme Networks WingOS: How to Own Millions of Devices Running on Aircrafts,Government, Smart Cities and More.” The Wing operating system was originally created by Motorola and nowadays Extreme Networks maintains it. WingOS is running in Motorola, Zebra and Extreme Networks access points and controllers. It is mainly used for WLAN networks. This research…

Josep Pi Rodriguez
Library | WHITEPAPER | August 7, 2018

Are You Trading Stocks Securely?

Exposing Security Flaws in Trading Technologies. The days of open outcry on trading floors of the NYSE, NASDAQ, and other stock exchanges around the globe are gone. With the advent of electronic trading platforms and networks, the exchange of financial securities now is easier and faster than ever; but this comes with inherent risks.

Access the PDF
Alejandro Hernandez

Commonalities In Vehicle Vulnerabilities

With the connected car becoming commonplace in the market, vehicle cybersecurity continues to grow more important every year. At the forefront of security research, IOActive has amassed real-world vulnerability data illustrating the general issues and potential solutions to the cybersecurity threats today’s vehicles face.

Access the White Paper