IOActive is an independent computer security services firm active in several areas. They are known for reporting high severity security vulnerabilities in a variety of products.[2][3][4] IOActive has published research on smart cities and the transportation and technology that connects them, and has worked with Global 500 companies in multiple industries.[5]
 | |
| Industry | Computer Security |
|---|---|
| Founded | 1998 |
| Headquarters | , |
Area served | Worldwide |
Key people | Jennifer Sunshine Steffens[1] |
| Website | https://ioactive.com |
Research
editRaspberry Pi RP2350
editIn February 2025, IOActive reported a method to extract data from the antifuse-based one-time programmable (OTP) memory of the Raspberry Pi RP2350 microcontroller as part of Raspberry Pi’s public hacking challenge.[6] By combining focused ion beam techniques with passive voltage contrast, the researchers demonstrated that cryptographic secrets stored in OTP memory, previously considered resistant to extraction, could be read within one to two days of invasive analysis.
The findings challenged assumptions about the inherent security of antifuse OTP memory and highlighted potential risks for other devices using similar Synopsys memory IP. IOActive proposed mitigations such as storing complementary data or hashing larger blocks of secrets, while noting that complete protection remains difficult. The discovery was regarded as a significant contribution to embedded security research and illustrated the value of open security testing in identifying hardware vulnerabilities.[7]
AMD Sinkclose
editIn August 2024, IOActive researchers Enrique Nissim and Krzysztof Okupski disclosed a vulnerability in AMD processors, later named Sinkclose (CVE-2023-31315), during the DEF CON security conference. The flaw affects a wide range of AMD chips produced since 2006 and enables attackers with kernel-level access to execute code within the processor’s System Management Mode (SMM). This allows the installation of persistent malware that can evade detection by antivirus software and survive operating system reinstallation.
IOActive demonstrated that the vulnerability could permit deep and difficult-to-remove compromises, in some cases requiring physical reprogramming of the system’s firmware to restore security. The discovery was considered significant because it challenged assumptions about the integrity of SMM protections and highlighted risks across a large number of consumer, enterprise, and embedded devices. AMD acknowledged the issue and released mitigations for its EPYC and Ryzen product lines, with updates for embedded products announced as forthcoming.[8]
References
edit- ^ "TEAM – IOActive". Retrieved 2023-07-14.
- ^ Kuchler, Hannah (8 August 2018). "Trading apps vulnerable to hacking, report says". Financial Times. Retrieved 8 March 2019.
- ^ "Lawyers threaten researcher over key-cloning bug in high-security lock". Arstechnica. 5 May 2015. Retrieved 8 March 2019.
- ^ "How one small hack turned a secure ATM into a cash-spitting monster". Techrepublic. 17 August 2023.
- ^ "IOActive Highlights Security Issues and Concerns for Smart Cities". TechSpective. 2018-10-26. Retrieved 2019-11-06.
- ^ "RP2350 Hacking Challenge at DEF CON 2024". Raspberry Pi. Retrieved 2025-08-17.
- ^ "IOActive's Outstanding Discovery in the RP2350 Hacking Challenge". Embedded. 2025-02-26. Retrieved 2025-08-17.
- ^ "'Sinkclose' Flaw in Hundreds of Millions of AMD Chips Allows Deep, Virtually Unfixable Infections". Wired. 2024-08-09. Retrieved 2025-08-17.