The Security Gap in AI-Generated Code
AI-powered code generation is now embedded in mainstream software development, with tools like GitHub Copilot generating nearly half of developers’ code. However, IOActive’s April 2026 whitepaper, *The Security Gap in AI-Generated Code*, reveals a critical and systemic security shortfall: AI models frequently generate insecure code by default. IOActive evaluated 27 leading AI models and AI-powered coding tools using 730 real-world programming prompts across 27 languages and 219 vulnerability categories. Prompts intentionally avoided mentioning security to reflect typical developer usage. Security outcomes were measured using 72 automated…
From Skynet to AI Agents: The State of Robot Security Nine Years Later
Over the past decade, I’ve conducted a series of research projects at IOActive focused on hacking robots. Robots are interesting from a security research perspective because they sit at a unique intersection: they are cyberphysical systems, embedded devices that can perform physical actions. A vulnerability in a web application leaks data. A vulnerability in a robot can harm the person standing next to it. That physical dimension is what makes this research worth pursuing. The first, “Hacking Robots Before Skynet” with Cesar Cerrudo in 2017, assessed…
EU Cyber Resilience Act (EU CRA): What to Know and How IOActive Can Help
Overview Cybersecurity regulation in the EU is shifting in a meaningful way. With the Cyber Resilience Act (CRA), the focus is moving upstream—from how organizations operate to how digital products are actually built and maintained. For manufacturers and software vendors, it changes what it means to bring a product to market in the EU. The CRA aims to give consumers a consistent baseline of security across all products with digital elements, regardless of industry. These products now sit at the heart of critical infrastructure, industrial systems, and everyday life….
Virtual Assistant: Defeating Liveness Detection with the Help of Virtual Devices
Introduction The rise of fraud and identity theft poses a growing concern for both individuals and organizations. As AI and deepfake technologies advance at an unprecedented pace, the need for a robust form of identity verification has become increasingly important. Traditional identity verification technology has become vulnerable to sophisticated attacks, such as spoofing, where fraudsters mimic someone’s identity. To combat the growing threat, identity providers integrated liveness detection to ensure the person undergoing verification is real, live, and physically present. However, as liveness detection evolves, fraudsters have adapted to bypass…
The Evolution of AI-Powered Security Consultants
In my fourteen years of security assessments with IOActive, our shared mission has always been defined by a single commitment: stay ahead. Stay ahead of the threats clients face today, and stay ahead of the techniques that will define how we find those threats tomorrow. That responsibility has driven every meaningful evolution in how our consultants work. When fuzzing was still a research curiosity, the consultants who built their own frameworks and integrated it into live engagements found entire vulnerability classes that manual reviews missed. When static analysis tools were…
Reversing the RADIO – AES CCM Link in the nRF family
For the past few weeks, I’ve been working on a research project that includes radio frequency (RF) nodes with a proprietary protocol running on top of Nordic Semiconductor (Nordic)[1] chips, specifically nrf52840. While it’s been quite challenging (no strings at all and of course no symbols), it’s been interesting and satisfying at the same time. As part of this work, I uncovered the code that handles encryption and decryption of RF packets. I wanted to share my findings in the hope that it will…
Authentication Downgrade Attacks: Deep Dive into MFA Bypass
Introduction Phishing-resistant multi-factor authentication (MFA), particularly FIDO2/WebAuthn, has become the industry standard for protecting high-value credentials. Technologies such as YubiKeys and Windows Hello for Business rely on strong cryptographic binding to specific domains, neutralizing traditional credential harvesting and AitM (Adversary-in-the-Middle) attacks. However, the effectiveness of these controls depends heavily on implementation and configuration. Research conducted by Carlos Gomez at IOActive has identified a critical attack vector that bypasses these protections not by breaking the cryptography, but by manipulating the authentication flow itself. This research introduces two…
Code Review & Dynamic Fuzzing of Microsoft’s Signing Transparency
Security Assessment of Microsoft’s Signing Transparency (ST) IOActive performed a thorough security assessment of Microsoft’s Signing Transparency (ST) service, focusing on code review, dynamic analysis, and fuzz testing which is designed for use on Azure and is built on the Confidential Consortium Framework (CCF). Conducted from April to June 2025, the evaluation confirmed strong implementation security, secure integration, and compliance with ST’s objectives. Three informational findings suggested defence-in-depth improvements, and one medium-risk issue was resolved during the assessment. ST met its security commitments, though some assurances depend…
Semiconductor Industry Jargon
The semiconductor industry uses a large and complex set of jargon. This set of terms represents the significant intersection of scientific and engineering disciplines in this complex, high-technology industry, including chemistry, physics, material science, electrical engineering, industrial engineering, computer science, and others. However, this jargon can make the industry impenetrable to individuals who must manage the business impacts, cybersecurity consequences, and comprehensive risk to which the industry’s products expose organizations. In our eGuide on silicon security, we ended with a glossary to aid those readers who may have limited exposure…
Deepfake Defense: From No-Cost Basics to Enterprise-Grade Controls
At CanSecWest 2025 I walked through a red team where we used AI voice cloning to test an organization’s people and processes. The short version is this: a familiar voice is not identity. Treat voice as untrusted input and move verification into systems you control. The financial exposure is no longer hypothetical. Deloitte estimates fraud losses in the United States could reach 40 billion dollars by 2027 as generative AI accelerates vishing and synthetic media. Recent incidents back this up, including the…