INTRODUCING AI/ML SECURITY SERVICES

Engineered to secure your AI investments from concept to deployment, ensuring you remain ahead of threats and fully compliant with industry standards.

LEARN MORE

25+ Years. Billions Protected. The Most Trusted Research-Led Security Firm on the Planet.

We don’t just find bugs – we uncover the systemic cracks attackers aim for. For nearly 30 years, IOActive’s researchers have hacked everything from cloud stacks to connected cars to integrated circuits and beyond. We help the world’s biggest brands find and fix serious issues before it’s too late.

Why Organizations Trust IOActive:

  • Built to last. Independent since 1998, proudly making the world safer and more secure.
  • Unparalleled loyalty with enduring client relationships providing continuity of expertise.
  • Enterprise-grade experience. Trusted by clients from top tier Fortune firms to small and mid-sized businesses.
  • Award-winning research. Discoveries that set industry standards and headline prestigious conferences across all industries.
  • Straight-talk advisors. We tell you what you need to know, not what you want to hear, so you can make informed risk decisions.
  • Global footprint. Teams across the globe aligning with time zones, languages, industries, and frameworks
  • Trustworthiness. Maintaining client confidentiality is our highest priority.

Are you ready to secure what matters most? Let’s talk.

2025

(2025) Raspberry Pi - RP2350

IOActive was announced as a winner of Raspberry Pi’s RP2350 Challenge where our research team was able to ‘extract antiques secrets from RP2350 by FIB/PVC.’

BlogArticle YouTube

(2024) AMD Sinkclose

Our team discovered a vulnerability that has existed for decades in AMD chips that would allow an attacker access into privileged portions of a computer.

BlogArticle YouTubePodcast

(2023) UAS Fault Injection Attack

IOActive managed to get some way of executing code inside perimeters of 4 tested website, which would allow us to proceed to “normal” red team activities of dropping Cobalt Strike implants and exploring inside the organizations.

Blog

(2023) Automated Card Shuffler Machines

IOActive conducted a comprehensive analysis of the security aspects of ShuffleMaster's Deck Mate 1 (DM1) and Deck Mate 2 (DM2) automated shuffler machines.

White PaperArticle YouTube

 

(2022) NFC Relay Attack tesla Model Y

Josep Pi Rodriguez, IOActive Principal Security Consultant, successfully exploited Tesla's Model Y with a NFC relay attack for IOActive’s recent.

White Paper • BlogArticle YouTube  Presentation Deck

(2022) Biometric Hacking Facial Recognition

IOActive analyzed a number 2D-based algorithms used in commercially available mobiles phones. We successfully bypassed the facial authentication security mechanism on all tested devices for at least one of the participating subjects.

White PaperBlog Research

 

(2022) Satcom Exploits (Redux Wideye '19)

IOActive researched two SATCOM terminals manufactured by Addvalue Technologies, Ltd.: the Wideye iSavi and Wideye SABRE Ranger 5000. We identified numerous serious security vulnerabilities in both devices, including broken or backdoored authentication mechanisms, rudimentary data parsing errors allowing for complete device compromise over the network, completely inadequate firmware security, and sensitive information disclosure, including the leaking of terminal GPS coordinates.

White Paper • BlogResearch
Our Pioneering Cybersecurity Research

(2022) Hacking Perimeter Defenses

IOActive managed to get some way of executing code inside perimeters of 4 tested website, which would allow us to proceed to “normal” red team activities of dropping Cobalt Strike implants and exploring inside the organizations.

Blog

 

(2021) Fault Injection

IOActive discovered a vulnerability where hackers could disable high-security electronic locks used in such industries as banks, pharmacies, government libraries, and many more. This research was presented at DEF CON 2019.

DEF CON Presentation Slides Article YouTube

(2021) Hacking IoT Embedded Designs

IOActive performed a manual code review of some of the most widely used IoT SDKs and found multiple vulnerabilities in the code provided by leading semiconductor vendors, such as Texas Instruments, Nordic, and Qualcomm. 

Blog Part 1 Blog Part 2

 

(2020) Password Cracking

Jamie Riden, IOActive Senior Security Consultant, conducted research on password cracking utilizing several techniques that are known to the public.

Blog YouTube

(2020) Airport ICS Security

IOActive conducted analysis of real attack vectors where custom barcodes could be leveraged to remotely attack ICS (Industrial Control Systems), including critical infrastructure.

Blog Blog  Blog Article

(2020) Vehicle Connected Apps

IOActive conducted research on several BMW navigation-equipped vehicles and found a vulnerability that allowed researchers to obtain unencrypted data and impact the vehicle’s technology such as the ability to unlock vehicle doors.

Blog 

(2020) FAA Airworthiness Directive

IOActive researchers conducted analysis of the '51 Days' Airworthiness Directive from international regulators that ordered Boeing 787 operators to completely shut down the plane’s electrical power whenever it had been running for 51 days without interruption.

Blog

(2020) Breaking BLE

IOActive researchers did a deep dive into the key components and tools for breaking Bluetooth Low Energy devices—from the perspective of a pentester and cybersecurity consultant.

Blog DEF CON Presentation

(2020) LoRaWAN Vulnerabilities

IOActive released a white paper describing LoRaWAN network cyber security vulnerabilities, possible cyber attacks, and provide useful techniques for detecting them with the help of our open-source tools.

White PaperBlogThe Things Conference Presentation

2020

(2019) Boeing 787 Vulnerabilities

IOActive documented detailed attack paths and component vulnerabilities to describe the first plausible, detailed public attack paths to effectively reach the avionics network on a commercial airplane from either non-critical domains, such as Passenger Information and Entertainment Services, or even external networks. 

BlogWhite Paper  Article Black Hat Presentation

(2019) Hacking Jet Cabin Systems

IOActive conducted research on Cabin Management Systems popular in the aviation industry. Our researches found multiple vulnerabilities that an attacker could exploit.

Technical PaperBlogRootedCON Presentation

(2019) Bypassing Chrome CSP

IOActive consultants found a bug in Google’s Chrome browsers that allows attackers to bypass the Content Security Policy (CSP). Besides breaking the CSP, the bug also allows attackers a means to ex-filtrate information from inside an SSL/TLS connection.

Blog

(2018) Breaking WingOS

IOActive researchers discovered several critical vulnerabilities found in the embedded operation system WingOS.

Blog • DEF CON Presentation Abstract DEF CON Presentation CONFidence Presentation

(2018) Ransomware / Robot Hacking

IOActive consultants found around 50 vulnerabilities in robots produced by several robot technology vendors. Attackers could manipulate the flaws found in these robots to spy via the robot’s microphone and camera, lead data, or cause serious physical harm.

BlogArticleArticleArticle

 

(2018) Mobile Trading Apps

IOActive researchers analyzed popular mobile trading applications and found that there was a lot lacking in regard to cybersecurity. Our consultants offer thoughts about how those who are using these applications can stay most secure.

White Paper Blog BlogArticleCode Blue Presentation

 

(2017) Maritime Vessel Communication

IOActive researches found critical cybersecurity vulnerabilities affecting Stratos Global’s AmosConnect communication shipboard platform. Stratos Global is the leading provider of maritime communications services in the world and used by thousands of ship vessels globally.

BlogPress Release

 

(2017) Industrial / Home Robot Systems

IOActive conducted research on several home, business, and industrial robots from multiple well-known vendors, and found multiple critical cybersecurity vulnerabilities.

White Paper  Blog Blog BlogArticleCode Blue Presentation

(2017) Embedded Devices/ATM

Using reverse engineering and protocol analysis, IOActive found a critical vulnerability in the tested version of the Opteva ATM with the AFD platform. Despite its separation of privilege and authentication requirements, the ATM is still vulnerable to a malicious attacker, compromising its integrity and causing unauthenticated vending from the AFD.

BlogAdvisory

 

(2017) Radiation Monitoring Devices

IOActive researchers provided a comprehensive description of technical details and the approach IOActive used to discover vulnerabilities affecting widely deployed radiation monitoring devices. Our work involved software and firmware reverse engineering, RF analysis, and hardware hacking.

White Paper

(2016) Vehicle Security Commonalities

IOActive has amassed real-world vulnerability data illustrating the general issues and potential solutions to the cybersecurity issues facing Connect Cars.

White PaperBlog

 

(2016) Home Security Systems

IOActive a critical security vulnerability in a wireless home security system from SimpliSafe.

BlogAdvisoryVideo

(2016) In-Flight Systems

Our researchers released details on several cybersecurity vulnerabilities found in Panasonic Avionics In-Flight Entertainment (IFE) systems used by a number of major airlines including United, Virgin, American Airlines, Emirates, AirFrance, Singapore, and Qatar, among others.

Press ReleaseBlog

 

(2015) iOS Exploits

Our team conducted research on mobile applications for mobile banking and photo vaults. Our researchers offer ways to keep these types of applications more secure.

BlogBlog

(2015) Hacking Industrial Plants

Our researchers discovered vulnerabilities that allowed Remote Code Execution through wireless communication products used by industrial plants.

Blog

 

(2015) Smart City Grids

Our researchers found vulnerabilities in over 200,000 traffic control sensors that were used in cities like Washington, New York, New Jersey, San Francisco, Seattle, and more. The team showed that information could be intercepted from the sensors as they were not encrypted.

Article

(2015) Vehicle Security

Our researchers gathered data on the architecture of a large number of vehicles to determine which vehicles would present the most obstacles to an attacker, starting with evaluating the attack surface, to getting CAN messages to safety critical ECUs, and finally getting the ECUs to take some kind of physical action.

White PaperDEF CON PresentationArticle

2015

(2014) AndBug Debugger

Our team released AndBug, a free scriptable Android Debugger, that was intended for reverse engineers and developers.

GitHub Link

(2014) Payload Miniaturization

Our team released research on how attackers could utilize ‘Miniaturization’ after getting past a SCADA firewall.

Press ReleasePresentation Slide DeckBlack Hat Presentation

(2014) PCI DSS

Our researches released information on how companies can strengthen their security posture through effective monitoring of the compliance standard Payment Card Industry Data Security Standards (PCI DSS).

Blog

(2014) SATCOM

Our researchers found that malicious actors could abuse of the most widely deployed Inmarsat and Iridium SATCOM terminals. Vulnerabilities included backdoors, hardcoded credentials, undocumented and/or insecure protocols, and weak encryption algorithms.

White PaperBlack Hat Presentation

(2014) Traffic Control Systems

Our team found vulnerabilities that would allow anyone to take complete control of traffic control systems. In theory, this means that anyone could cause a traffic mess by launching an attack with a simple exploit.

BlogBlogArticleDEF CON Presentation

(2013) Cloud Forensics

Our research team found that Windows7, Server 2008R2, and earlier kernels contain significant executable regions available for abuse. The team released information for users to get a comprehensive understanding of what possible code is hiding/running on their computer.

Press ReleaseDEF CON Presentation SlidesDEF CON Presentation AbstractDEF CON Presentation

(2013) Industrial Wireless Automation

Our researchers discovered a vulnerability in ProSoft technology’s RadioLinx ControlScape application that allowed for expedited brute-force passphrase and other cryptographic-based attacks.

White PaperPress ReleaseBlack Hat Presentation

(2013) Emergency Alert System (EAS)

Our researchers discovered vulnerabilities in the Emergency Alerting Systems (EAS) which is widely used by TV and radio stations across the United States.

Press ReleaseBlog

(2013) ICS Back Doors

Our researchers found vulnerabilities for different industrial automation devices and stressed the importance of engaging with incident response teams within companies using Industrial Control Systems.

Press ReleasePress Release

(2013) Medical Devices

Our researchers discovered vulnerabilities in the Emergency Alerting Systems (EAS) which is widely used by TV and radio stations across the United States.

BlogBlogBlogArticle

(2013) Smart Grid Security

In 2009, our researchers recommended encrypting smart grid technology as the team discovered a worm that could disrupt services to homes and businesses. In 2014, the team found that while these systems' security posture improved, there were still a lot of smart grid technologies that were vulnerable to attack.

ArticleArticleArticle

(2013) TPM Insecurities

IOActive discovered that the STEMicroelectronics ST19WL18P TPM device wasn’t as cyber secure as the industry hopes. Our team presented research to show just how insecure the devices are.

YouTube

(2012) Window Kernel Exploitation

We discovered a vulnerability that allows remote attackers to execute arbitrary code on vulnerable installations of Windows.

BlogAdvisory

(2011) Social Engineering

Our team released a 3 blog series applying classical theories on social engineering to modern practices in cybersecurity.

Blog Part 1Blog Part 2Blog Part 3

(2010) ATM Hacking

IOActive researchers demonstrated the ability to hack ATMs to dispense money freely, even from a remote access standpoint.

VideoBlogAdvisory

2010

(2009) Mobile Digital Certificates (PKI - Public Key Infrastructure)

Our research showed how MD5’s long-know flaws could be actively exploited to attack the real-world Certification Authority Infrastructure. Our team discovered two new classes of collision.

White Paper

(2009) DNS/DNSSec

Our researchers discovered a vulnerability in the Domain Name System (DNS) that could allow poisoning of DNS caches.

BlogPresentation DeckArticleArticle

(2009) Advanced Metering Infrastructure (AMI)

Our team identified multiple programming errors on a series of Smart Meter platforms ranging from the inappropriate use of banned functions to protocol implementation issues.

Presentation DeckBlack Hat Presentation

(2009) PoC Worm

IOActive researchers created a worm attack on a smart meter that can copy itself from one smart meter to the next in a neighborhood. This could create power outages and can disable the smart meter.

Black Hat Presentation DeckArticle

(2009) 1st Smart Grid

This presentation, delivered at Infosecurity Europe by Joshua Pennell, discusses risks identified, research performed, and remediation efforts suggested around the Smart Grid and meters.

BlogArticleArticleArticle

(2008) SCADA

Our team released research that breaks some of the SCADA myths while also giving focus to where it matters the most. 

Presentation DeckBlack Hat BriefingUpdated IOActive Services

(2008) Custom ASIC

IOActive released research to reverse-engineer secure functionality of custom Application-Specific Integrated Circuit (ASIC) chips.

Blog

(2007) RFID Cloning

IOActive researchers released information on the science behind radio frequency identification (RFID) tags and the vulnerabilities associated with them. An attack on RFID tags could allow an attacker to clone security access badges, such as the ones use by governments.

Article

IOActive Security Services

Our game-changing approach, using time-tested techniques aligned to your business, is a key reason why we’ve been recognized as one of the most important security companies in the last 30 years. And why enterprises and product manufacturers across a wide range of industries trust us to help them grow and innovate securely.

SERVICES AT A GLANCE

 

 

2024 Cyber Security Excellence Awards

  • Pen Test Team of the Year
  • Cybersecurity Team of the Year
  • Cybersecurity Provider of the Year

At IOActive, our team provides more than traditional penetration testing. We freely share our security expertise through a range of offerings including red and purple team exercises, attack simulations, security consultancy, and our highly specialized technical and programmatic services.

 

2024 Cyber Security Excellence Awards

  • Pen Test Team of the Year
  • Cybersecurity Team of the Year
  • Cybersecurity Provider of the Year

At IOActive, our team provides more than traditional penetration testing. We freely share our security expertise through a range of offerings including red and purple team exercises, attack simulations, security consultancy, and our highly specialized technical and programmatic services.

 

 

2024 Corporate Excellence Awards

  • Best Research-Led Security Services Provider 2024 – USA

IOActive is a proud winner of this year’s ‘Best Research-Led Security Services Provider 2024 – USA’ through the implementation of up-to-date research embedded in the delivery of services. The Corporate Excellence Awards ‘showcase the companies and individuals that are committed to innovation, business growth, and providing the very best products and services to clients across a wide range of industries.’

Accreditations

2022-CREST-logo_Colour
cyberessentials_certification_logo_2021
73f99d0a51aa3da3e39a054c310676f4e94e60ea