IOActive

IOActive is an independent computer security services firm active in several areas. They are known for reporting high severity security vulnerabilities in a variety of products.^[2][3][4] IOActive has published research on smart cities and the transportation and technology that connects them, and has worked with Global 500 companies in multiple industries.^[5]

IOActive, Inc.

Industry	Computer Security
Founded	1998
Headquarters	Seattle , United States
Area served	Worldwide
Key people	Jennifer Sunshine Steffens[1]
Website	https://ioactive.com

Research

Raspberry Pi RP2350

In February 2025, IOActive reported a method to extract data from the antifuse-based one-time programmable (OTP) memory of the Raspberry Pi RP2350 microcontroller as part of Raspberry Pi’s public hacking challenge.^[6] By combining focused ion beam techniques with passive voltage contrast, the researchers demonstrated that cryptographic secrets stored in OTP memory, previously considered resistant to extraction, could be read within one to two days of invasive analysis.

The findings challenged assumptions about the inherent security of antifuse OTP memory and highlighted potential risks for other devices using similar Synopsys memory IP. IOActive proposed mitigations such as storing complementary data or hashing larger blocks of secrets, while noting that complete protection remains difficult. The discovery was regarded as a significant contribution to embedded security research and illustrated the value of open security testing in identifying hardware vulnerabilities.^[7]

AMD Sinkclose

In August 2024, IOActive researchers Enrique Nissim and Krzysztof Okupski disclosed a vulnerability in AMD processors, later named Sinkclose (CVE-2023-31315), during the DEF CON security conference. The flaw affects a wide range of AMD chips produced since 2006 and enables attackers with kernel-level access to execute code within the processor’s System Management Mode (SMM). This allows the installation of persistent malware that can evade detection by antivirus software and survive operating system reinstallation.

IOActive demonstrated that the vulnerability could permit deep and difficult-to-remove compromises, in some cases requiring physical reprogramming of the system’s firmware to restore security. The discovery was considered significant because it challenged assumptions about the integrity of SMM protections and highlighted risks across a large number of consumer, enterprise, and embedded devices. AMD acknowledged the issue and released mitigations for its EPYC and Ryzen product lines, with updates for embedded products announced as forthcoming.^[8]