Thought leaders in information security, we conduct radical, world-changing research and deliver renowned presentations around the world.
Blogs | INSIGHTS | April 10, 2014

Bleeding Hearts

The Internet is ablaze with talk of the “heartbleed” OpenSSL vulnerability disclosed yesterday (April 7, 2014) here:   While the bug itself is a simple “missing bounds check,” it affects quite a number of high-volume, big business websites.   Make no mistake, this bug is BAD. It’s sort of a perfect storm: the bug is in a library used to encrypt sensitive data (OpenSSL), and it allows attackers a peak into a server’s memory, potentially revealing that same sensitive data in the clear.   Initially, it was reported…

Robert Erbes
Blogs | INSIGHTS | April 8, 2014

Car Hacking 2: The Content

Does everyone remember when those two handsome young gentlemen controlled automobiles with CAN message injection ( I sure do. However, what if you don’t have the resources to purchase a car, pay for insurance, repairs to the car, and so on?    Fear not Internet!    Chris and Charlie to the rescue. Last week we presented our new automotive research at Syscan 2014. To make a long story short, we provided the blueprints to setup a small automotive network outside the vehicle so security researchers could start investigating Autosec…

Chris Valasek
Blogs | INSIGHTS | February 27, 2014

Beware Your RSA Mobile App Download

It’s been half a decade since Apple launched their iPhone campaign titled “There’s an app for that“. In the years following, the mobile app stores (from all the major players) have continued to blossom to the point that not only are there several thousand apps that help light your way (i.e. by keeping the flash running bright), but every company, cause, group, or notable event is expected to publish their own mobile application.    Today there are several hundred good “rapid development” kits that allow any newbie to craft…

Gunter Ollmann
Blogs | INSIGHTS | February 14, 2014

The password is irrelevant too

In this follow up to a blog post on the Scalance-X200 series switches, we look at an authentication bypass vulnerability. It isn’t particularly complicated, but it does allow us to download configuration files, log files, and a firmware image. It can also be used to upload configuration and firmware images, which causes the device to reboot.   The code can be found in IOActive Labs github repository.   If an attacker has access to a configuration file with a known password, they can use this code to update the…

Eireann Leverett
Blogs | INSIGHTS | February 6, 2014

An Equity Investor’s Due Diligence

Information technology companies constitute the core of many investment portfolios nowadays. With so many new startups popping up and some highly visible IPO’s and acquisitions by public companies egging things on, many investors are clamoring for a piece of the action and looking for new ways to rapidly qualify or disqualify an investment ; particularly so when it comes to hottest of hot investment areas – information security companies.  Over the years I’ve found myself working with a number of private equity investment firms – helping them to review the…

Gunter Ollmann
Blogs | INSIGHTS | January 21, 2014

Scientifically Protecting Data

This is not “yet another Snapchat Pwnage blog post”, nor do I want to focus on discussions about the advantages and disadvantages of vulnerability disclosure. A vulnerability has been made public, and somebody has abused it by publishing 4.6 million records. Tough luck! Maybe the most interesting article in the whole Snapchat debacle was the one published at [1], which explains how data correlation can yield interesting results in targeted attacks. The question then becomes, “How can I protect against this?” Stored personal data is always vulnerable to attackers…

Wim Remes
Blogs | INSIGHTS | January 13, 2014

The password is irrelevant

This story begins with a few merry and good hearted tweets from S4x13. These tweets in fact:     Notice the shared conviviality, and the jolly manner in which this discussion of vulnerabilities occurs.   It is with this same lightness in my heart that I thought I would explore the mysterious world of the.   So I waxed my moustache, rolled up my sleeves, and began to use the arcane powers of Quality Assurance.    Ok, how would an attacker who…

Eireann Leverett
Blogs | INSIGHTS | December 4, 2013

Practical and cheap cyberwar (cyber-warfare): Part II

Disclaimer: I did not perform any illegal attacks on the mentioned websites in order to get the information I present here. No vulnerability was exploited on the websites, and they are not known to be vulnerable.   Given that we live in an age of information leakage where government surveillance and espionage abound, I decided in this second part to focus on a simple technique for information gathering on human targets. If an attacker is targeting a specific country, members of the military and defense contractors would make good human…

Cesar Cerrudo
Blogs | INSIGHTS | November 27, 2013

A Short Tale About executable_stack in elf_read_implies_exec() in the Linux Kernel

This is a short and basic analysis I did when I was uncertain about code execution in the data memory segment. Later on, I describe what’s happening in the kernel side as well as what seems to be a small logic bug. I’m not a kernel hacker/developer/ninja; I’m just a Linux user trying to figure out the reason of this behavior by looking in key places such as the ELF loader and other related functions. So, if you see any mistakes or you realize that I approached this in a…

Alejandro Hernandez
Blogs | INSIGHTS | November 15, 2013

heapLib 2.0

Hi everyone, as promised I’m releasing my code for heapLib2. For those of you not familiar, I introduced methods to perform predictable and controllable allocations/deallocations of strings in IE9-IE11 using JavaScript and the DOM. Much of this work is based on Alex Sotirov’s research from quite a few years ago (  The zip file contains:  heapLib2.js => The JavaScript library that needs to be imported to use heapLib2 heapLib2_test.html => Example usage of some of the functionality that is available in heapLib2 => A Python script…

Chris Valasek

Arm IDA and Cross Check: Reversing the 787’s Core Network

IOActive has documented detailed attack paths and component vulnerabilities to describe the first plausible, detailed public attack paths to effectively reach the avionics network on a 787, commercial airplane from either non-critical domains, such as Passenger Information and Entertainment Services, or even external networks.