RESOURCES

Thought leaders in information security, we conduct radical, world-changing research and deliver renowned presentations around the world.
Blogs | INSIGHTS | May 28, 2024

5 Signs You’re Ready for a Red Team

We often talk about security as a continuum; a journey toward greater maturity and increased capability. Along that path, the practice of red team testing serves as an important milestone, not just for the benefits it offers, but also for what participating in red teaming says about the state of security — overall posture, culture, commitment to continuous improvement — in any organization. Red team tests remain one of the most effective ways to probe defenses and identify vulnerabilities. And unlike traditional penetration tests, red team…

IOActive Red Team
Blogs | EDITORIAL, INSIGHTS | May 22, 2024

Transportation Electrification Cybersecurity Threatscape

World-Wide Electric Vehicle (EV) Charging Infrastructure Trends The global push to meet rising EV adoption with sufficient EV smart charger infrastructure is astoundingly challenging. Bloomberg estimates the global charging infrastructure market opportunity to be $1.9T between 2022 and 2050. That opportunity will be seized upon by a host of organizations large and small, public and private. From EV fleet depots to fast charging stations along highwaysparking garagessmart chargers for employees, and home chargers,…

Kevin Harnett
Blogs | INSIGHTS, RESEARCH | May 16, 2024

Field-Programmable Chips (FPGAs) in Critical Applications – What are the Risks?

What is an FPGA? Field-Programmable Gate Arrays (FPGAs) are a type of Integrated Circuit (IC) that can be programmed or reprogrammed after manufacturing. They consist of an array of logic blocks and interconnects that can be configured to perform various digital functions. FPGAs are commonly used in applications where flexibility, speed, and parallel processing capabilities are required, such as telecommunications, automotive, aerospace, and industrial sectors. FPGAs are often found in products that are low volume or demand short turnaround time because they can be purchased off the shelf and programmed…

Blogs | INSIGHTS, RESEARCH | May 15, 2024

Evolving Cyber Threatscape: What’s Ahead and How to Defend

The digital world is a dangerous place. And by all accounts, it’s not getting a whole lot better. Damages from cybercrime will top a staggering $8 trillion this year, up from an already troubling $1 trillion just five years ago and rocketing toward $14 trillion by 2028. Supply chains are becoming juicier targets, vulnerabilities are proliferating, and criminals with nation-state support are growing more active and more sophisticated. Ransomware, cryptojacking, cloud compromises, and AI-powered shenanigans are all on a hockey-stick growth trajectory. Looking ahead, there are few sure…

IOActive
Blogs | INSIGHTS | May 9, 2024

Always Updated Awards 2024 Blog

We are excited to announce that IOActive received multiple prestigious awards wins this year! Keep this blog bookmarked to always stay up-to-date on the company’s accomplishments throughout 2024. Last updated May 9, 2024 IOActive was honored for its ability to maximize security investments and enhance clients’ overall security posture and business resilience. Unlike many organizations that default to defensive strategies, we at IOActive go beyond standard penetration testing to provide clients with red and purple team services that exceed typical assessments. We prioritize a comprehensive understanding of cyber adversaries through…

Blogs | INSIGHTS, RESEARCH | May 2, 2024

Untested Is Untrusted: Penetration Tests and Red Teaming Key to Mature Security Strategy

Organizations need to know how well their defenses can withstand a targeted attack. Red team exercises and penetration tests fit the bill, but which is right for your organization? Information security at even well-defended enterprises is often a complex mesh of controls, policies, people, and point solutions dispersed across critical systems both inside and outside the corporate perimeter. Managing that murky situation can be challenging for security teams, many of whom are understaffed and forced to simply check as many of the boxes as they can on the organization’s framework…

IOActive
Blogs | EDITORIAL, RESEARCH | April 25, 2024

Bits to Binary to Bootloader to Glitch: Exploiting ROM for Non-invasive Attacks

In this paper, we explore how ROM can be leveraged to perform a non-invasive attack (i.e., voltage glitching) by a relatively unsophisticated actor without a six-figure budget. We begin by explaining what ROM is, why it is used, and how it can be extracted. What exactly is ROM? Put simply, Read-Only Memory (ROM) is a type of Non-Volatile Memory (NVM) that is constructed as physical structures within chips. The structures are patterned as ones and zeroes on one, and only one, of several layers of the chip. Why just…

Tony Moor
Blogs | INSIGHTS | April 19, 2024

Lessons Learned and S.A.F.E. Facts Shared During Lisbon’s OCP Regional Summit

I don’t recall precisely what year the change happened, but at some point, the public cloud became critical infrastructure with corresponding high national security stakes. That reality brought rapid maturity and accompanying regulatory controls for securing and protecting the infrastructure and services of cloud service providers (CSPs). Next week at the 2024 OCP Regional Summit in Lisbon, teams will be sharing new security success stories and diving deeper into the technical elements and latest learnings in securing current generation cloud infrastructure devices. IOActive will be present throughout the event,…

Gunter Ollmann
Blogs | INSIGHTS, RESEARCH | April 17, 2024

Accessory Authentication – part 3/3

This is Part 3 of a 3-Part series. You can find Part 1 here and Part 2 here. Introduction In this post, we continue our deep dive comparison of the security processors used on a consumer product and an unlicensed clone. Our focus here will be identifying and characterizing memory arrays. Given a suitably deprocessed sample, memories can often be recognized as such under low magnification because of their smooth, regular appearance with distinct row/address decode logic on the perimeter, as compared to analog circuitry (which contains many…

Andrew Zonenberg
Blogs | INSIGHTS, RESEARCH | April 17, 2024

Accessory Authentication – part 2/3

This is Part 2 of a 3-Part series. You can find Part 1 here. Introduction In this post, we continue our deep dive comparison of the security processors used on a consumer product and an unlicensed clone. Our focus here will be comparing manufacturing process technology. We already know the sizes of both dies, so given the gate density (which can be roughly estimated from the technology node or measured directly by locating and measuring a 2-input NAND gate) it’s possible to get a rough estimate for gate count….

Andrew Zonenberg

Commonalities in Vehicle Vulnerabilities

2022 Decade Examination Update | With the connected car now commonplace in the market, automotive cybersecurity has become the vanguard of importance as it relates to road user safety. IOActive has amassed over a decade of real-world vulnerability data illustrating the issues and potential solutions to cybersecurity threats today’s vehicles face.

This analysis is a major update and follow-up to the vehicle vulnerabilities report originally published in 2016 and updated in 2018. The goal of this 2022 update is to deliver current data and discuss how the state of automotive cybersecurity has progressed over the course of 10 years, making note of overall trends and their causes.

ACCESS THE REPORT


IOACTIVE CORPORATE OVERVIEW (PDF)IOACTIVE SERVICES OVERVIEW (PDF)


IOACTIVE ARCHIVED WEBINARS