IOActive

IOActive is an independent computer security services firm active in several areas. They are known for reporting high severity security vulnerabilities in a variety of products.^[2][3][4] IOActive has published research on smart cities and the transportation and technology that connects them, and has worked with Global 500 companies in multiple industries.^[5]

IOActive, Inc.

Industry	Computer Security
Founded	1998
Headquarters	Seattle , United States
Area served	Worldwide
Key people	Jennifer Sunshine Steffens[1]
Website	https://ioactive.com

Research

Raspberry Pi RP2350

In February 2025, IOActive reported a method to extract data from the antifuse-based one-time programmable (OTP) memory of the Raspberry Pi RP2350 microcontroller as part of Raspberry Pi’s public hacking challenge.^[6] By combining focused ion beam techniques with passive voltage contrast, the researchers demonstrated that cryptographic secrets stored in OTP memory, previously considered resistant to extraction, could be read within one to two days of invasive analysis.

The findings challenged assumptions about the inherent security of antifuse OTP memory and highlighted potential risks for other devices using similar Synopsys memory IP. IOActive proposed mitigations such as storing complementary data or hashing larger blocks of secrets, while noting that complete protection remains difficult. The discovery was regarded as a significant contribution to embedded security research and illustrated the value of open security testing in identifying hardware vulnerabilities.^[7]

AMD Sinkclose

In August 2024, IOActive researchers Enrique Nissim and Krzysztof Okupski disclosed a vulnerability in AMD processors, later named Sinkclose (CVE-2023-31315), during the DEF CON security conference. The flaw affects a wide range of AMD chips produced since 2006 and enables attackers with kernel-level access to execute code within the processor’s System Management Mode (SMM). This allows the installation of persistent malware that can evade detection by antivirus software and survive operating system reinstallation.

IOActive demonstrated that the vulnerability could permit deep and difficult-to-remove compromises, in some cases requiring physical reprogramming of the system’s firmware to restore security. The discovery was considered significant because it challenged assumptions about the integrity of SMM protections and highlighted risks across a large number of consumer, enterprise, and embedded devices. AMD acknowledged the issue and released mitigations for its EPYC and Ryzen product lines, with updates for embedded products announced as forthcoming.^[8]

UAS Fault Injection Attack

In mid-2023, IOActive researchers, led by Gabriel Gonzalez, conducted a study on the feasibility of noninvasive electromagnetic (EM) side-channel and EM fault injection (EMFI) attacks on a commercial drone, the DJI Mavic Pro. The drone included several security measures such as secure boot, a trusted execution environment (TEE), and signed and encrypted firmware. The research team treated the target as a black box and evaluated whether vulnerabilities could be exploited without prior internal knowledge. They developed a full fault injection platform in a controlled setting, using an EM pulse generator, oscilloscope, and precise probe placement, along with threat modeling and attack surface analysis.^[9][10]

The researchers first attempted key-recovery attack through EM side-channel analysis but found the probability of bypassing the aircraft’s signature verification to be extremely low.^[11] They then carried out EMFI during the firmware update process and were able to provoke memory corruption in key processor registers such as R0 and R1, as well as crashes and segmentation faults by adjusting glitch timing and probe location. Although arbitrary code execution was not fully achieved, the experiments showed that with further refinement it may be possible for an attacker with physical access to execute code, access the Android operating system, or exfiltrate firmware secrets. IOActive disclosed the findings to DJI and recommended both hardware and software countermeasures, noting that hardware protections are most effective when integrated during device design, while software mitigations can be added later.^[12]

Automated Card Shuffler Machines

In 2023, IOActive researchers analyzed ShuffleMaster’s Deck Mate 1 (DM1) and Deck Mate 2 (DM2) automated card shufflers, widely used in casinos. By reverse engineering firmware and testing hardware interfaces, they identified vulnerabilities that could be exploited by attackers with physical access. Proof-of-concept demonstrations showed that inserting a small computing device into the DM2’s USB port could enable unauthorized code execution, while its internal verification camera could be accessed to reveal the full order of cards after a shuffle.^[13]

The findings were presented at the Black Hat conference, where researchers demonstrated how a Raspberry Pi–based payload could compromise a DM2 and transmit deck information in real time. Although full deck reordering was not achieved, the attack surface made it a plausible risk, with implications for competitive poker and casino operations. IOActive and industry commentators recommended mitigations including restricting external ports, strengthening firmware update processes, and improving inspection and access controls.^[14][15]