RESOURCES

Thought leaders in information security, we conduct radical, world-changing research and deliver renowned presentations around the world.
Blogs | INSIGHTS | January 13, 2009

Blackhat USA 2009 Poll – Rev Eng Class

During last years Blackhat and Defcon conferences, several individuals asked me about possibly giving classes on the security model of commonly found microcontrollers.  Jeff Moss’ group setup a poll here.  Given today’s Silicon technology has become so small yet so large, it would be best to determine which architecture and which devices everyone is most interested in.  The current poll will determine which brand micro to target (Atmel AVR or Microchip PIC) and after this is decided, we will need more input to narrow the…

IOActive
Blogs | RESEARCH | January 8, 2009

Intel 4004

Before going deeper into the analysis of today’s chips, we will take a quick journey to where it all began: the Intel 4004, world’s first widely-used microprocessor. The 4004 and most other antiquated chips differ from modern chips in two main characteristics: They only use a single type of transistor (PMOS or NMOS) and each logic gate is custom-designed to best utilize the available area — an inevitable optimization for chips built from transistors about 150x larger than those used in their modern descendants. Each of the gates is composed…

IOActive
Blogs | INSIGHTS | September 13, 2008

Reverse-Engineering Custom Logic (Part 1)

Today we are taking you one step deeper into a microchip than we usually go. We look at transistors and the logic functions they compose, which helps us understand custom ASICs now found in some secured processors. To reverse-engineer the secret functionality of an ASIC, we identify logic blocks, map out the wiring between the blocks, and reconstruct the circuit diagram. Today, we’ll only be looking at the first step: reading logic. And we start with the easiest example of a logic function: the inverter. To read logic, you first…

IOActive
Blogs | INSIGHTS | September 13, 2008

New Author: Herr Karsten Nohl!

We are proud to announce that those who enjoy reading the blog (which we apologize for the lack of content lately) can soon enjoy reading posts from Karsten Nohl as well. For those of you who are not familiar with Karsten, he played an important role in the discovery and analysis of the Crypto-1 mathematical algorithm found in Philips (NXP) Mifare RFID devices. He recently obtained his PhD from University of Virginia in the United States.   He’s well known within the Chaos Computer Club (CCC) in Germany as well. We too…

IOActive
Blogs | INSIGHTS | April 3, 2008

Atmel AT91SAM7S Overview

Atmel produces a number of ARM based devices in their portfolio of products. We had one laying around the lab so here we go as usual… The device was a 48 pin QFP type package. We also purchased a sample of the other members of the family although the initial analysis was done on the AT91SAM7S32 part shown above. All pictures will relate to this specific part even though there is not a signifigant difference between the other members of this line except memory sizes. After decapsulating the die from…

IOActive
Blogs | INSIGHTS | February 13, 2008

Atmel CryptoMemory AT88SC153/1608 :: Security Alert

A “backdoor” has been discovered by Flylogic Engineering in the Atmel AT88SC153 and AT88SC1608 CryptoMemory. Before we get into this more, we want to let you know immediately that this backdoor only involves the AT88SC153/1608 and no other CryptoMemory devices. The backdoor involves restoring an EEPROM fuse with Ultra-Violet light (UV).  Once the fuse bit has been returned to a ‘1’, all memory contents is permitted to be read or written in the clear (unencrypted). Normally in order to do so, you need to either authenticate to the device or…

IOActive
Blogs | INSIGHTS | February 7, 2008

AT90S8515 – Legacy!

Some people asked for some of those older Atmel parts after seeing the MEGA88 and ATMEGA169 teardowns. Here’s a quick one on the AT90S8515. It’s still very popular even though it’s been replaced by the MEGA8515. It’s built on a larger process and it’s not planarized (.50um and below are planarized but you may find some .50um non-planarized) 8KB Flash, 512 Byte SRAM, 512 Byte EEPROM with 32 working registers. That’s sooo nice! 4x faster than the typical PIC. There was a mistake in the above picture too when we…

Blogs | INSIGHTS | January 24, 2008

ATMEGA88 Teardown

An 8k FLASH, 512 bytes EEPROM, 512 bytes SRAM CPU operating 1:1 with the external world unlike those Microchip PIC’s we love to write up about :). It’s a 350 nanometer (nm), 3 metal layer device fabricated in a CMOS process.  It’s beautiful to say the least;  We’ve torn it down and thought we’d blog about it! The process Atmel uses on their .35 micrometer (um) technology is awesome. Using a little HydroFluoric Acid (HF) and we partially removed the top metal layer (M3).  Everything is now clearly visible for our…

IOActive
Blogs | INSIGHTS | January 22, 2008

Security Mechanism of PIC16C558,620,621,622

Last month we talked about the structure of an AND-gate layed out in Silicon CMOS.  Now, we present to you how this AND gate has been used in Microchip PICs such as PIC16C558, PIC16C620, PIC16C621, PIC16C622, and a variety of others. If you wish to determine if this article relates to a particular PIC you may be in possession of, you can take an windowed OTP part (/JW) and set the lock-bits.  If after 10 minutes in UV, it still says it’s locked, this article applies to your…

IOActive
Blogs | INSIGHTS | December 29, 2007

AND Gates in logic

As we prepare for the New Year, we wanted to leave you with a piece of logic taken out of an older PIC16C series microcontroller. We want you to guess which micro(s) this gate (well the pair of them) would be found in. After the New Year, we’ll right up on the actual micro(s) and give the answer :). An AND gate in logic is basically a high (logic ‘1’) on all inputs to the gate. For our example, we’re discussing the 2 input AND. It should be noted that…

IOActive

Commonalities in Vehicle Vulnerabilities

2022 Decade Examination Update | With the connected car now commonplace in the market, automotive cybersecurity has become the vanguard of importance as it relates to road user safety. IOActive has amassed over a decade of real-world vulnerability data illustrating the issues and potential solutions to cybersecurity threats today’s vehicles face.

This analysis is a major update and follow-up to the vehicle vulnerabilities report originally published in 2016 and updated in 2018. The goal of this 2022 update is to deliver current data and discuss how the state of automotive cybersecurity has progressed over the course of 10 years, making note of overall trends and their causes.

ACCESS THE REPORT


IOACTIVE CORPORATE OVERVIEW (PDF)IOACTIVE SERVICES OVERVIEW (PDF)


IOACTIVE ARCHIVED WEBINARS