RESOURCES

Thought leaders in information security, we conduct radical, world-changing research and deliver renowned presentations around the world.
Blogs | INSIGHTS | August 13, 2020

IOActive Guest Blog | Urban Jonson, Heavy Vehicle Cyber Security Program, NMFTA

Hello, My name is Urban Jonson, and I’m the Chief Technology Officer and Program Manager, Heavy Vehicle Cyber Security Program, with the National Motor Freight Traffic Association, Inc. (NMFTA). I’m honored that IOActive has afforded me this guest blogging opportunity to connect with you. The research at IOActive is always innovative and they have done some really good work in transportation, including aviation, truck electronic logging devices, and even satellites. Being among such technical experts really raises the stakes of the conversation. Luckily, I can lean…

Blogs | EDITORIAL | June 30, 2020

Warcodes: Attacking ICS through industrial barcode scanners

Several days ago I came across an interesting entry in the curious ‘ICS Future News’ blog run by Patrick Coyle. Before anyone becomes alarmed, the description of this blog is crystal clear about its contents: “News about control system security incidents that you might see in the not too distant future. Any similarity to real people, places or things is purely imaginary.” IOActive provides research-fueled security services, so when we analyze cutting-edge technologies the goal is to stay one step ahead of malicious actors…

Ruben Santamarta
Disclosures | ADVISORIES | June 18, 2020

Moog EXO Series Multiple Vulnerabilities

Moog Inc. (Moog) offers a wide range of camera and video surveillance solutions. These can be network-based or part of more complex tracking systems. The products affected by the vulnerabilities in this security advisory are part of the EXO series, “built tough to withstand extreme temperature ranges, power surges, and heavy impacts.” These units are configurable from a web application. The operating systems running on these cameras are Unix-based. ONVIF Web Service Authentication Bypass Undocumented Hardcoded Credentials Multiple Instances of Unauthenticated XML External Entity (XXE) Attacks statusbroadcast Arbitrary Command Execution…

Launch PDF
Mario Ballano Gabriel Gonzalez Josep Pi Rodriguez & Simon Robin
Disclosures | ADVISORIES |

Verint PTZ Cameras Multiple Vulnerabilities

Verint Systems Inc. (Verint) sells software and hardware solutions to help its clients perform data analysis. Verint also offers IP camera systems and videos solutions. Most of these cameras are configurable from a web application. The operating systems running on these cameras are Unix-based. DM Autodiscovery Service Stack Overflow FTP root User Enabled Undocumented Hardcoded Credentials Access the Advisory (PDF)

Launch PDF
Mario Ballano Gabriel Gonzalez Josep Pi Rodriguez & Simon Robin
Library | PRESENTATION, VIDEO | May 28, 2020

Introduction to Bluetooth Low Energy Exploitation (Breaking BLE series – part 1)

Bluetooth, especially Bluetooth Low Energy (BLE), has become the ubiquitous backbone that modern devices use to interact with each other. From mobile, to IoT, to automotive, most smart devices now support Bluetooth connections. This enhanced connectivity expands the attack surface making this attack vector an increasingly necessary aspect of security testing.

access the video
Blogs | EDITORIAL | May 27, 2020

File-Squatting Exploitation by Example

This will (hopefully) be a short story about a bug I found some time ago while auditing a .NET service from an OEM. It should be interesting as I have yet to find a description of how to exploit a similar condition. Our service was running as SYSTEM and needed to periodically execute some other utilities as part of its workflow. Before running these auxiliary tools, it would check if the executable was properly signed by the vendor. Something like this: public void CallAgent() {    string ExeFile = “C:\\Program…

Enrique Nissim
Disclosures | ADVISORIES | May 14, 2020

GE Grid Solutions Reason RT430 GNSS Precision-Time Clock Multiple Vulnerabilities

GE Grid Solutions’ Reason RT430 GNSS Precision-Time Clock is referenced to GPS and GLONASS satellites. Offering a complete solution, these clocks are the universal precision time synchronization units, with an extensive number of outputs which supports many timing protocols. including the DST rules frequently used on power systems applications. In accordance with IEEE 1588 Precision Time Protocol (PTP), the RT430 is capable of providing multiple IEDs synchronization with better than 100ns time accuracy over Ethernet networks. Despite being likely to never lose time synchronization from satellites, the RT430 GNSS features…

Launch PDF
Ehab Hussein
Blogs | EDITORIAL | May 6, 2020

A Reverse Engineer’s Perspective on the Boeing 787 ‘51 days’ Airworthiness Directive

Several weeks ago, international regulators announced that they were ordering Boeing 787 operators to completely shut down the plane’s electrical power whenever it had been running for 51 days without interruption.1 The FAA published an airworthiness directive elaborating on the issue, and I was curious to see what kind of details were in this document. While I eventually discovered that there wasn’t much information in the FAA directive, there was just enough to put me on track to search for the root cause of the issue. This blog post will…

Ruben Santamarta
Library | PRESENTATION, VIDEO | April 22, 2020

Hacking and Securing LoRaWAN Networks

LoRaWAN is becoming the most popular low-power wide-area network (LPWAN) open standard protocol used around the world for Smart Cities, IIoT, Smart Building, etc. LoRaWAN protocol has “built-in encryption” making it “secure by default.” This results in many users blindly trusting LoRaWAN networks without being diligent in assessing security concerns; the implementation issues and weaknesses can make the networks vulnerable to hacking. Currently, much of the cybersecurity problems of LoRaWAN networks, are not well known. Also, there are no available tools for LoRaWAN network security testing/auditing and attack detection, which…

access the video
Library | COLLATERAL | April 17, 2020

IOActive Red and Purple Team Service

Building Operational Resiliency Through Real-world Threat Emulation. Who better to evaluate security effectiveness – compliance auditors or attackers? Vulnerability assessments and penetration tests are critical components of any effective security program, but the only real way to test your operational resiliency is from an attacker’s perspective. 

Launch PDF

Arm IDA and Cross Check: Reversing the 787’s Core Network

IOActive has documented detailed attack paths and component vulnerabilities to describe the first plausible, detailed public attack paths to effectively reach the avionics network on a 787, commercial airplane from either non-critical domains, such as Passenger Information and Entertainment Services, or even external networks.

ACCESS THE WHITEPAPER


IOACTIVE CORPORATE OVERVIEW (PDF)IOACTIVE SERVICES OVERVIEW (PDF)


IOACTIVE ARCHIVED WEBINARS