IOActive
IOActive is an independent computer security services firm active in several areas. They are known for reporting high severity security vulnerabilities in a variety of products.[2][3][4][5] IOActive has offices in Seattle, London, Dubai and Madrid.[6] IOActive has done researches on smart cities and the transportation and technology that connects them, and has worked with Global 500 companies in multiple industries.[7]
Industry | Computer Security |
---|---|
Founded | 1998 |
Headquarters | , |
Area served | Worldwide |
Key people | Jennifer Sunshine Steffens[1] (CEO) |
Number of employees | 51-200 |
Website | https://ioactive.com |
History
In 2018, IOActive was awarded CREST accreditation for its penetration testing services.[8][9] In 2019, the company was recognized as one of the “Most Important Industry Companies of the Last 30 Years” by SC Media in their 30th Anniversary Awards.[10][11]
Research
ATM Hack
In 2010, Barnaby Jack, Director of Security Research at IOActive, demonstrated his ability to remotely reprogram an ATM over a network to allow him to access cash in the machine. He was also able to access cash from a Triton ATM by using a key to open the machine’s front panel, as it was discovered that the ATM uses a uniform lock on all of its systems[12].
In 2017, Mike Davis, Director of Embedded Systems Security at IOActive, and Josh Hammond, a Senior Security Consultant at IOActive, demonstrated their ability to hack one of Diebold Nixdorf's popular Opteva ATMs into completely spewing out its entire stash of cash in seconds during IOActive’s “Breaking Embedded Devices” panel at Black Hat 2017. The security flaw near the ATM's speakers in the upper section provided an opening for potential hackers to loosen and expose a USB port[13].
Car Hack
In 2015, Charlie Miller, a researcher at Twitter and Chris Valasek, Director of Vehicle Security Research at IOActive, constructed a demo with Wired reporter Andy Greenberg in which Greenberg was instructed to drive a Jeep Cherokee on a highway as Valasek and Miller hacked the car from approximately 10 miles away. The two were able to control car functions such as air conditioning, radio, windshield wipers, and even the brakes or engine from a remote computer[14]. This discovery urged automakers to consider automotive security as a legitimate concern as the industry began a shift of turning cars into high-functioning computers and competing to install new Internet-connected cellular services for entertainment, navigation, and safety[15].
SATCOM Security
Overview
In 2014, Ruben Santamarta, Principal Security Consultant at IOActive, discovered major vulnerabilities in satellite communication (SATCOM) equipment that could be abused to hijack and disrupt communications links to airplanes, ships, military operations, and industrial facilities. These design flaws would allow attackers to run their own code, install malicious firmware, cut off communications, or even spoof messages to the vessel. Santamarta also found that certain weaknesses made it possible to locate cargo ships and military bases that were intended to remain hidden.[16] The discovery exposed vulnerabilities in the equipment from six major companies.[17]
Cobham GMDSS
Insecure protocol could compromise the entire terminal communications suite, in which an attacker could control devices by data spoofing or disrupting communications through the installation of malicious firmware. The Ship Security Alert System (SSAS), which is used to dispatch law or military enforcement during an act of terrorism or piracy, could also be remotely disabled in an attack.[18]
References
- "A View from the Top: Jennifer Steffens, CEO of IOActive, on staying safe from cyber-attack". Independent. Retrieved 8 March 2019.
- "Researcher Successfully Hacked In-Flight Airplanes - From the Ground". Darkreading.com. Retrieved 8 March 2019.
- "Trading apps vulnerable to hacking, report says". Financial Times. Retrieved 8 March 2019.
- "Lawyers threaten researcher over key-cloning bug in high-security lock". Arstechnica. Retrieved 8 March 2019.
- "How one small hack turned a secure ATM into a cash-spitting monster". Techrepublic.
- "Contact". IOActive.com. Retrieved 8 March 2019.
- "IOActive Highlights Security Issues and Concerns for Smart Cities". TechSpective. 2018-10-26. Retrieved 2019-11-06.
- "IOActive Awarded CREST Accreditation for its Leading Penetration Testing Services". IOActive. Retrieved 2019-11-06.
- "CREST". Archived from the original on 2013-08-13. Retrieved 2019-11-06.
- "IOActive Recognized as One of the Most Important Industry Companies of the Last 30 Years in SC Media's 30th Anniversary Awards". IOActive. Retrieved 2019-11-06.
- "SC Media's 30th anniversary award winners". SC Media. 2019-03-06. Retrieved 2019-11-06.
- Zetter, Kim (2010-07-29). "Researcher Demonstrates ATM 'Jackpotting' at Black Hat Conference". Wired. ISSN 1059-1028. Retrieved 2019-11-14.
- Ng, Alfred. "Hack makes ATM spew cash". CNET. Retrieved 2019-11-14.
- Greenberg, Andy (2015-07-21). "Hackers Remotely Kill a Jeep on the Highway—With Me in It". Wired. ISSN 1059-1028. Retrieved 2019-11-14.
- "Hacker History: The Time Charlie and Chris Hacked a Jeep Cherokee". Decipher. Retrieved 2019-11-14.
- Brewster, Thomas. "This Guy Hacked Hundreds Of Planes From The Ground". Forbes. Retrieved 2020-05-08.
- "Satellite Communications Wide Open To Hackers". Dark Reading. Retrieved 2019-11-14.
- Santamarta, Ruben (August 2014). "SATCOM Terminals: Hacking by Air, Sea, and Land" (PDF). Blackhat. Retrieved 20 May 2020.