IOActive

IOActive is an independent research-fueled security services firm active in several areas. They are known for reporting high severity security vulnerabilities in a variety of products.[2][3][4][5] IOActive has offices in Seattle, London, Dubai and Madrid.[6] IOActive is widely recognized for their extensive body of research across numerous technologies and industries, and has worked with Global 500 companies in multiple industries.[7]

IOActive, Inc.
IndustryComputer Security
Founded1998
FounderJoshua Pennell
Headquarters
Seattle
,
United States
Area served
Worldwide
Key people
Joshua Pennell, Founder, Chairman of the Board


Jennifer Sunshine Steffens[1] (CEO)
Number of employees
51-200
Websitehttps://ioactive.com

History


IOActive was founded in 1998 by Joshua Pennell. At the time when cybersecurity research was an emerging field, Joshua Pennell[8] established his reputation as a cybersecurity force - with his team winning the Capture the Flag competition for three consecutive years at DEF CON. He currently serves as the firm’s Founder and Chairman of the Board.[9]

Since 1998, IOActive has continued to provide highly specialized, research-driven security services including full-stack penetration testing, program efficacy assessments, red team services, and hardware hacking – leveraging a unique attacker’s perspective to every engagement to maximize security investments and improve the security posture and operational resiliency of Global 1000 clients.

IOActive prioritizes innovative cybersecurity research for the institutional and enterprise markets, having notable research projects within the fields of embedded systems, industrial control systems, transportation, ATMs, aviation, military technologies, smart cities, and medical devices, amongst many others.

In 2018, IOActive was awarded CREST accreditation for its penetration testing services.[10][11] In 2019, the company was recognized as one of the “Most Important Industry Companies of the Last 30 Years” by SC Media in their 30th Anniversary Awards.[12][13]

Research

ATM Hack

In 2010, Barnaby Jack, Director of Security Research at IOActive, demonstrated his ability to remotely reprogram an ATM over a network to allow him to access cash in the machine. He was also able to access cash from a Triton ATM by using a key to open the machine’s front panel, as it was discovered that the ATM uses a uniform lock on all of its systems.[14]

In 2017, IOActive researchers demonstrated their ability to hack one of Diebold Nixdorf's popular Opteva ATMs into completely spewing out its entire stash of cash in seconds during IOActive’s “Breaking Embedded Devices” panel at Black Hat 2017. The security flaw near the ATM's speakers in the upper section provided an opening for potential hackers to loosen and expose a USB port.[15]

Robot Hack

In 2017, IOActive deployed a project to “build a foundation of practical cyberattacks against robot ecosystems.” In their robot hacking project,[16] they directly tested core components in robotics, such as mobile applications, operating systems, firmware images, and software. Their research encompassed robotics in home, business, and industrial applications, mindful of how robotics and Internet of Things technologies are converging in many ways.

Without having to conduct a “deep, extensive security audit,” they found 50 cybersecurity vulnerabilities in the robot ecosystem components. Many of those vulnerabilities are commonly found. One common theme they discovered is that robots are often designed and sold without considering their cybersecurity implications.

Car Hack

In 2015, IOActive researchers constructed a demo with Wired reporter Andy Greenberg in which Greenberg was instructed to drive a Jeep Cherokee on a highway as Valasek and Miller hacked the car from approximately 10 miles away. The two were able to control car functions such as air conditioning, radio, windshield wipers, and even the brakes or engine from a remote computer.[17] This discovery urged automakers to consider automotive security as a legitimate concern as the industry began a shift of turning cars into high-functioning computers and competing to install new Internet-connected cellular services for entertainment, navigation, and safety.[18]

Boeing 787 security analysis

In 2020, IOActive’s Principal Security Consultant Ruben Santamarta[19] became aware of the FAA’s (Federal Aviation Administration) warning to operators of Boeing 787 aircraft. When an aircraft has been operating continuously for 51 consecutive days, they’re advised to completely shut down the plane’s electrical power. Santamarta analyzed the Boeing 787’s CCS (Common Core System, its computing) and CDN (Common Data Network) to determine what could be the reason for the FAA’s warning.

This is the text from the FAA’s directive:

“The FAA has received a report indicating that the stale-data monitoring function of CCS may be lost when continuously powered on for 51 days. This could lead to undetected or unannunciated loss of CDN message age validation, combined with a CDN switch failure. The CDN handles all the flight-critical data (including airspeed, altitude, attitude, and engine operation), and several potentially catastrophic failure scenarios can result from this situation. Potential consequences include:

   • Display of misleading primary attitude data for both pilots.

   • Display of misleading altitude on both pilots’ primary flight displays (PFDs).

   • Display of misleading airspeed data on both pilots’ PFDs, without annunciation

   of failure, coupled with the loss of stall warning, or over-speed warning

  • Display of misleading engine operating indications on both engines.

The potential loss of the stale-data monitoring function of the CCS when continuously powered on for 51 days, if not addressed, could result in erroneous flight-critical data being routed and displayed as valid data, which could reduce the ability of the flight crew to maintain the safe flight and landing of the airplane.”

Santamarta hypothesized that there could be a problem in the CDN’s EDE protocol packet headers which makes the age validation and time management inconsistent. If EDE packets stop being able to be sequenced accurately after an extended period of the CCS’s operation, pilots may not be able to get proper altitude data, engine operation metrics, speed warnings, or other critical data needed to safely operate a large aircraft.

Santamarta stresses that his analysis is only a hypothesis, as IOActive doesn’t have direct access to a Boeing 787 aircraft for security testing purposes.

ICS attacks through barcode scanners

In 2020, IOActive analyzed how ICS (industrial control systems) can be exploited[20] by threat actors through barcode scanners. Barcode usage is omnipresent in the retail and industrial sectors. They are primarily implemented for inventory management and item tracking purposes.

They explained that because the handheld barcode scanners used in retail stores and industrial warehouses are usually configured to act as HID keyboards, it’s possible to inject keystroke combinations that can compromise the host computer where the barcode scanner is connected.

They also analyzed how SICK CLV62x-65x barcode scanners support “profile programming” barcodes, which can be another cyber attack vector. “Profile programming” barcodes are custom generated, and when scanned they can directly modify settings in a device without involving a host computer. SICK CLV62x-65x devices are often used in airport baggage and cargo handling. An attacker may be able to physically present a malicious profile programming barcode to a device that can either render it inoperable or change its settings to facilitate further attacks. IOActive tested the attack on a SICK CLV650 and discovered that it works. This can have profound implications for airport security.

Overview

In 2014, IOActive discovered major vulnerabilities in satellite communication (SATCOM) equipment that could be abused to hijack and disrupt communications links to airplanes, ships, military operations, and industrial facilities. These design flaws would allow attackers to run their own code, install malicious firmware, cut off communications, or even spoof messages to the vessel. They also found that certain weaknesses made it possible to locate cargo ships and military bases that were intended to remain hidden.[21] The discovery exposed vulnerabilities in the equipment from six major companies.[22]

Cobham GMDSS

Insecure protocol could compromise the entire terminal communications suite, in which an attacker could control devices by data spoofing or disrupting communications through the installation of malicious firmware. The Ship Security Alert System (SSAS), which is used to dispatch law or military enforcement during an act of terrorism or piracy, could also be remotely disabled in an attack.[23]

Biometric hacking

In 2022, IOActive researchers conducted a security assessment[24] of both 2D and 3D-IR based face authentication algorithms in some Android smartphones-- Samsung S10(+), OnePlus 7 Pro, Nokia 9 Pure View, Xiaomi Mi 9, and Vivo V15 Pro.

Sometimes race and gender impact the effectiveness of facial recognition technology, so IOActive used a small but diverse group of test subjects-- an Asian man, an Asian woman, an African American man, an African American woman, and a Caucasian man. None of the test subjects had registered their faces with any of the devices. The way the facial biometrics are intended to work is that the owner of the device scans their face. The device registers it as the face belonging to its legitimate owner, and only a user with that face can unlock the device. IOActive discovered that the phones’ facial biometrics didn’t always work as intended.

They found that the African American man was able to unlock four of the five devices, despite his face not being the one registered in the biometrics application. The Asian woman was able to unlock three of the devices that weren’t registered with her face. The African American woman was able to unlock two of the devices that hadn’t registered her face. The Asian man was able to unlock one of the devices that hadn’t registered his face. The Caucasian man wasn’t able to unlock any of the devices.

Tesla NFC relay attack

NFC (near-field communication) technology can be used to unlock many smart cars. In 2022, IOActive devised a proof-of-concept cyber attack to exploit a particular NFC vulnerability in Tesla Model Y vehicles.[25] From Rodriguez’s whitepaper:[26]

“To successfully carry out the attack, IOActive reverse-engineered the NFC protocol Tesla uses between the NFC card and the vehicle, and we then created custom firmware modifications that allowed a Proxmark RDV4.0 device to relay NFC communications over Bluetooth/Wi-Fi using the Proxmark’s BlueShark module.”

When IOActive disclosed the exploit to Tesla, they said that the vulnerability is mitigated with their “PIN to Drive” feature. But using the feature is optional, not default. Tesla owners may not be aware that the feature exists, nor the importance of using it.

References
  1. "A View from the Top: Jennifer Steffens, CEO of IOActive, on staying safe from cyber-attack". Independent. 2 August 2018. Retrieved 8 March 2019.
  2. "Researcher Successfully Hacked In-Flight Airplanes - From the Ground". Darkreading.com. 5 June 2018. Retrieved 8 March 2019.
  3. "Trading apps vulnerable to hacking, report says". Financial Times. 8 August 2018. Retrieved 8 March 2019.
  4. "Lawyers threaten researcher over key-cloning bug in high-security lock". Arstechnica. 5 May 2015. Retrieved 8 March 2019.
  5. "How one small hack turned a secure ATM into a cash-spitting monster". Techrepublic.
  6. "Contact". IOActive.com. Retrieved 8 March 2019.
  7. "IOActive Highlights Security Issues and Concerns for Smart Cities". TechSpective. 2018-10-26. Retrieved 2019-11-06.
  8. "Joshua Pennell, Founder & Chairman of the Board". IOActive. Retrieved 2023-02-02.
  9. "Joshua Pennell on LinkedIn". Joshua Pennell's LinkedIn profile.
  10. "IOActive Awarded CREST Accreditation for its Leading Penetration Testing Services". IOActive. Retrieved 2019-11-06.
  11. "CREST". Archived from the original on 2013-08-13. Retrieved 2019-11-06.
  12. "IOActive Recognized as One of the Most Important Industry Companies of the Last 30 Years in SC Media's 30th Anniversary Awards". IOActive. Retrieved 2019-11-06.
  13. "SC Media's 30th anniversary award winners". SC Media. 2019-03-06. Retrieved 2019-11-06.
  14. Zetter, Kim (2010-07-29). "Researcher Demonstrates ATM 'Jackpotting' at Black Hat Conference". Wired. ISSN 1059-1028. Retrieved 2019-11-14.
  15. Ng, Alfred. "Hack makes ATM spew cash". CNET. Retrieved 2019-11-14.
  16. "Hacking Robots Before Skynet". IOActive. 2017-03-01. Retrieved 2023-02-02.
  17. Greenberg, Andy (2015-07-21). "Hackers Remotely Kill a Jeep on the Highway—With Me in It". Wired. ISSN 1059-1028. Retrieved 2019-11-14.
  18. "Hacker History: The Time Charlie and Chris Hacked a Jeep Cherokee". Decipher. Retrieved 2019-11-14.
  19. "A Reverse Engineer's Perspective on the Boeing 787 '51 days' Airworthiness Directive". IOActive. 2020-05-06. Retrieved 2023-02-02.
  20. "Warcodes: Attacking ICS through industrial barcode scanners". IOActive. 2020-06-30. Retrieved 2023-02-02.
  21. Brewster, Thomas. "This Guy Hacked Hundreds Of Planes From The Ground". Forbes. Retrieved 2020-05-08.
  22. "Satellite Communications Wide Open To Hackers". Dark Reading. 17 April 2014. Retrieved 2019-11-14.
  23. Santamarta, Ruben (August 2014). "SATCOM Terminals: Hacking by Air, Sea, and Land" (PDF). Blackhat. Retrieved 20 May 2020.{{cite web}}: CS1 maint: url-status (link)
  24. "Biometric Hacking: Face Authentication Systems". Retrieved 2023-02-02.
  25. "NFC Relay Attack on Tesla Model Y". IOActive. 2022-09-10. Retrieved 2023-02-02.
  26. https://act-on.ioactive.com/acton/attachment/34793/f-6460b49e-1afe-41c3-8f73-17dc14916847/1/-/-/-/-/NFC-relay-TESlA_JRoriguez.pdf
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.