The Security Gap in AI-Generated Code
AI-powered code generation is now embedded in mainstream software development, with tools like GitHub Copilot generating nearly half of developers’ code. However, IOActive’s April 2026 whitepaper, *The Security Gap in AI-Generated Code*, reveals a critical and systemic security shortfall: AI models frequently generate insecure code by default. IOActive evaluated 27 leading AI models and AI-powered coding tools using 730 real-world programming prompts across 27 languages and 219 vulnerability categories. Prompts intentionally avoided mentioning security to reflect typical developer usage. Security outcomes were measured using 72 automated…
From Skynet to AI Agents: The State of Robot Security Nine Years Later
Over the past decade, I’ve conducted a series of research projects at IOActive focused on hacking robots. Robots are interesting from a security research perspective because they sit at a unique intersection: they are cyberphysical systems, embedded devices that can perform physical actions. A vulnerability in a web application leaks data. A vulnerability in a robot can harm the person standing next to it. That physical dimension is what makes this research worth pursuing. The first, “Hacking Robots Before Skynet” with Cesar Cerrudo in 2017, assessed…
EU Cyber Resilience Act (EU CRA): What to Know and How IOActive Can Help
Overview Cybersecurity regulation in the EU is shifting in a meaningful way. With the Cyber Resilience Act (CRA), the focus is moving upstream—from how organizations operate to how digital products are actually built and maintained. For manufacturers and software vendors, it changes what it means to bring a product to market in the EU. The CRA aims to give consumers a consistent baseline of security across all products with digital elements, regardless of industry. These products now sit at the heart of critical infrastructure, industrial systems, and everyday life….
Virtual Assistant: Defeating Liveness Detection with the Help of Virtual Devices
Introduction The rise of fraud and identity theft poses a growing concern for both individuals and organizations. As AI and deepfake technologies advance at an unprecedented pace, the need for a robust form of identity verification has become increasingly important. Traditional identity verification technology has become vulnerable to sophisticated attacks, such as spoofing, where fraudsters mimic someone’s identity. To combat the growing threat, identity providers integrated liveness detection to ensure the person undergoing verification is real, live, and physically present. However, as liveness detection evolves, fraudsters have adapted to bypass…
The Evolution of AI-Powered Security Consultants
In my fourteen years of security assessments with IOActive, our shared mission has always been defined by a single commitment: stay ahead. Stay ahead of the threats clients face today, and stay ahead of the techniques that will define how we find those threats tomorrow. That responsibility has driven every meaningful evolution in how our consultants work. When fuzzing was still a research curiosity, the consultants who built their own frameworks and integrated it into live engagements found entire vulnerability classes that manual reviews missed. When static analysis tools were…
Reversing the RADIO – AES CCM Link in the nRF family
For the past few weeks, I’ve been working on a research project that includes radio frequency (RF) nodes with a proprietary protocol running on top of Nordic Semiconductor (Nordic)[1] chips, specifically nrf52840. While it’s been quite challenging (no strings at all and of course no symbols), it’s been interesting and satisfying at the same time. As part of this work, I uncovered the code that handles encryption and decryption of RF packets. I wanted to share my findings in the hope that it will…
Authentication Downgrade Attacks: Deep Dive into MFA Bypass
Introduction Phishing-resistant multi-factor authentication (MFA), particularly FIDO2/WebAuthn, has become the industry standard for protecting high-value credentials. Technologies such as YubiKeys and Windows Hello for Business rely on strong cryptographic binding to specific domains, neutralizing traditional credential harvesting and AitM (Adversary-in-the-Middle) attacks. However, the effectiveness of these controls depends heavily on implementation and configuration. Research conducted by Carlos Gomez at IOActive has identified a critical attack vector that bypasses these protections not by breaking the cryptography, but by manipulating the authentication flow itself. This research introduces two…
IOActive Security Advisory | CIRCUTOR – SGE-PLC1000/SGE-PLC50 v 0.9.2 / ServicePack 140411
Affected Product CIRCUTOR – SGE-PLC1000/SGE-PLC50 v 0.9.2 / ServicePack 140411 TitleCIRCUTOR SGE PLC1000/PLC50Severity1 Critical, 10 High, 3 mediumDiscovered byGabriel Gonzalez / Sergio RuizAdvisory DateJanuary 26, 2026 Timeline 2025-03-14: Vulnerabilities identified, disclosure process begins. 2025-09-30: INCIBE gets ahold of the client to fix vulnerabilities 2025-10-28: INCIBE coordinates disclosure: https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0 Download Full Advisory
Husn Canaries: Defense-In-Depth for AI Coding Assistant Governance
Please visit our companion website https://www.husncanary.com for an interactive, visual experience. This research white paper from Ehab Hussein, IOActive Principal Artificial Intelligence Engineer and Mohamed Samy, IOActive Senior AI Security Consultant, presents the Husn Canaries defense-in-depth framework, a new standard for protecting organizational assets. AI-powered coding assistants such as OpenAI Codex, Claude Code, GitHub Copilot, and similar tools are increasingly embedded in everyday software development workflows. While these systems can improve productivity, they also introduce a new class of governance and security…
Code Review & Dynamic Fuzzing of Microsoft’s Signing Transparency
Security Assessment of Microsoft’s Signing Transparency (ST) IOActive performed a thorough security assessment of Microsoft’s Signing Transparency (ST) service, focusing on code review, dynamic analysis, and fuzz testing which is designed for use on Azure and is built on the Confidential Consortium Framework (CCF). Conducted from April to June 2025, the evaluation confirmed strong implementation security, secure integration, and compliance with ST’s objectives. Three informational findings suggested defence-in-depth improvements, and one medium-risk issue was resolved during the assessment. ST met its security commitments, though some assurances depend…