IOActive


IOActive is an independent computer security services firm active in several areas. They are known for reporting high severity security vulnerabilities in a variety of products. IOActive has offices in Seattle, London, Dubai and Madrid. IOActive has done researches on smart cities and the transportation and technology that connects them, and has worked with Global 500 companies in multiple industries.

History

In 2018, IOActive was awarded CREST accreditation for its penetration testing services. In 2019, the company was recognized as one of the “Most Important Industry Companies of the Last 30 Years” by SC Media in their 30th Anniversary Awards.

Research

ATM Hack

In 2010, Barnaby Jack, Director of Security Research at IOActive, demonstrated his ability to remotely reprogram an ATM over a network to allow him to access cash in the machine. He was also able to access cash from a Triton ATM by using a key to open the machine’s front panel, as it was discovered that the ATM uses a uniform lock on all of its systems.
In 2017, Mike Davis, Director of Embedded Systems Security at IOActive, and Josh Hammond, a Senior Security Consultant at IOActive, demonstrated their ability to hack one of Diebold Nixdorf's popular Opteva ATMs into completely spewing out its entire stash of cash in seconds during IOActive’s “Breaking Embedded Devices” panel at Black Hat 2017. The security flaw near the ATM's speakers in the upper section provided an opening for potential hackers to loosen and expose a USB port.

Car Hack

In 2015, Charlie Miller, a researcher at Twitter and Chris Valasek, Director of Vehicle Security Research at IOActive, constructed a demo with Wired reporter Andy Greenberg in which Greenberg was instructed to drive a Jeep Cherokee on a highway as Valasek and Miller hacked the car from approximately 10 miles away. The two were able to control car functions such as air conditioning, radio, windshield wipers, and even the brakes or engine from a remote computer. This discovery urged automakers to consider automotive security as a legitimate concern as the industry began a shift of turning cars into high-functioning computers and competing to install new Internet-connected cellular services for entertainment, navigation, and safety.

SATCOM Security

Overview

In 2014, Ruben Santamarta, Principal Security Consultant at IOActive, discovered major vulnerabilities in satellite communication equipment that could be abused to hijack and disrupt communications links to airplanes, ships, military operations, and industrial facilities. These design flaws would allow attackers to run their own code, install malicious firmware, cut off communications, or even spoof messages to the vessel. Santamarta also found that certain weaknesses made it possible to locate cargo ships and military bases that were intended to remain hidden. The discovery exposed vulnerabilities in the equipment from six major companies.
Cobham GMDSS
Insecure protocol could compromise the entire terminal communications suite, in which an attacker could control devices by data spoofing or disrupting communications through the installation of malicious firmware. The Ship Security Alert System, which is used to dispatch law or military enforcement during an act of terrorism or piracy, could also be remotely disabled in an attack.