Our Research

Prototyping new features and products,

interpreting and analyzing data,

building internal tools...

…and bringing to life wild ideas.

  • Flipping Bits and Opening Doors: Reverse Engineering the Linear Wireless Security DX Protocol

    Here we explore the implementation of a legacy, but still actively marketed, wireless physical security system as well as how it undermines more advanced security controls....

    Continue Reading
  • HTTP/2 Peach Pit for Microsoft Edge

    This peach pit implements the HTTP/2 protocol RFC-7540 and is targetted at Microsoft Edge. It has been run through about 150,000 iterations and traffic samples within this...

    Continue Reading
  • Duo in Space

    This summer during DEF CON 24, Duo traveled to the Mojave Desert to launch a tricked-out weather balloon in pursuit of the first two-factor authentication push from the...

    Continue Reading
  • Out-of-Box Exploitation: A Security Analysis of OEM Updaters

    Shovelware, crapware, bloatware, “value added” - it goes by a lot of names - whatever you call it, most of it is junk (please, OEMs, make it stop). The worst part is that...

    Continue Reading
  • X-Ray 2.0: Vulnerability Detection for Android Devices

    X-Ray is an app anyone can download that safely scans for vulnerabilities on your Android phone or tablet, allowing you to assess your current mobile security risk.

    Continue Reading
  • Dude, You Got Dell’d: Publishing Your Privates

    Recently, Duo Labs security researchers found a few sketchy certificates on a Dell Inspiron 14 laptop we purchased last week to conduct a larger research project. And we...

    Continue Reading
  • WoW64 and So Can You

    Today, the Duo Labs team is publishing a research paper on the limitations of Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) when applied to processes running...

    Continue Reading
  • BACKRONYM MySQL Vulnerability

    A new and serious vulnerability has been identified in a popular software library. How do we know it's serious? Because the vulnerability has a clever name, sweet logo, and...

    Continue Reading
  • Did I get Adobed?

    We’ve set up a site where you can check the leaked Adobe data for affected users in your organization. If you haven’t already, it would be a good idea to reset the...

    Continue Reading
  • PayPal 2FA Bypass

    Duo Security Researchers Uncover Bypass of PayPal’s Two-Factor Authentication

    Continue Reading
  • ReKey for Android

    Earlier this month, RFP from BlueBox published a sneak preview of his upcoming BlackHat talk, detailing a vulnerability in the Android platform that affects nearly all...

    View the Site
  • Google Two-Factor Bypass

    An attacker can bypass Google's two-step login verification, reset a user's master password, and otherwise gain full account control, simply by capturing a user's...

    Continue Reading
  • VPN Hunter

    VPN Hunter is a service that discovers and classifies the VPNs and other remote access services of any organization. Given their nature, remote access services inherently...

    Continue Reading
  • Did I Get Gawkered?

    If you're an administrator who runs a website or service where your users are logging in with only a password, now is the time to beef up your security with some strong...

    Continue Reading