Thought leaders in information security, we conduct radical, world-changing research and deliver renowned presentations around the world.
Disclosures | ADVISORIES | February 17, 2016

SimpliSafe Alarm System Replay Attack

The radio interface for the SimpliSafe home burglar/fire alarm systems is not encrypted and does not use “rolling codes,” nonces, two-way handshakes, or other techniques to prevent transmissions from being recorded and reused. An attacker who is able to intercept the radio signals between the keypad and base station can record and re-play the signal in order to turn off the alarm at a time of his choice in the future.

Launch PDF
Andrew Zonenberg
Disclosures | ADVISORIES | November 19, 2015

Lenovo TVSUkernel Escalation of Privileges

The Lenovo System Update allows least-privileged users to perform system updates. To do this, System Update includes the System Update service (SUService.exe). This service runs as the privileged SYSTEM user, creates a temporary user account with Administrator privileges, and starts a GUI application (Tvsukernel.exe) with the new Administrator account. Once the application is closed, the temporary Administrator account is appropriately deleted. However the GUI application contains links to online support and privacy help topics, which, when clicked, start a web browser instance under the temporary Administrator account to display the…

Launch PDF
Sofiane Talmat
Disclosures | ADVISORIES |

Lenovo System Update Created an Insecure Random Administrator Password

This vulnerability allows a local unprivileged user to elevate privileges to Administrator or SYSTEM. Since the user is running the System Update is an unprivileged user, the SUService that is running as System will run the UACsdk.exe binary to create a temporary Administrator account to run the GUI application (Tvsukernel.exe).

Launch PDF
Sofiane Talmat
Disclosures | ADVISORIES | September 28, 2015

Harman-Kardon UConnect Vulnerability

UConnect 8.4AN/RA3/RA4 are vehicle-based infotainment systems. UConnect systems are integrated in certain makes of Chrysler, Dodge, Jeep, and Ram vehicles. The UConnect infotainment system allowed an unauthenticated connection from other access points on the Sprint Network. An attacker could issue commands to other components within the vehicle through the infotainment system.

Launch PDF
Chris Valasek & Charlie Miller
Disclosures | ADVISORIES | April 14, 2015

Lenovo System Update Multiple Privilege Escalations

CVE-2015-2219 Local, least-privileged users can run commands as the SYSTEM user. CVE-2015-2233 Local and potentially remote attackers can bypass signature validation checks and replace trusted Lenovo applications with malicious applications. CVE-2015-2234 Local, unprivileged users can run commands as an administrative user.

Launch PDF
Sofiane Talmat & Michael Milvich
Disclosures | ADVISORIES | December 9, 2014

X Font Service Protocol Handling Issues in libXfont Library

Ilja van Sprundel, an IOActive security researcher, discovered several issues in the way the libXfont library handles the responses it receives from XFS servers. Mr. van Sprundel has worked with X.Org’s security team to analyze, confirm, and fix these issues. Most of these issues stem from libXfont trusting the font server to send valid protocol data and not verifying that the values will not overflow or cause other damage. This code is commonly called from the X server when an X Font Server is active in the font path, so…

Launch PDF
Ilja van Sprundel
Disclosures | ADVISORIES | November 1, 2014

Facebook Access Token Sent in Plaintext

Attackers can steal Facebook access tokens to impersonate Facebook users and perform malicious actions that include, but are not limited to, posting content on behalf of users and accessing friend lists.

Launch PDF
Ariel Sanchez

Biometric Security: Facial Recognition Testing

IOActive has conducted extensive research and testing of facial recognition systems on commercial mobile devices. Our testing included setups for 2D- and 3D-based algorithms, including technologies using stereo IR cameras. Discovering the underlying algorithms to find setups to bypass them, then calculating the Spoof Acceptance Rate (SAR).