The collective vision, passion and hard work of the Red Balloon Security research team has made universally compatible security for embedded systems a reality.


Members of the Red Balloon Security team have led major DoD funded research activities.

PIADC Facility

Commercializing tech for deployment

U.S. Government funded Red Balloon research to bring advanced on-device security with real-time detection to production-network building controllers.


Three-part satellite hacking workshop

Research for NyanSat resulted in a workshop for the Department of the Air Force and U.S. Defense Digital Service


Everyday ATM security

Persistent bypass of Nautilus Hyosung's ATM security measures.


Defeating Cisco’s secure boot

Red Balloon discovered a vulnerability which allows an attacker to persistently bypass Cisco’s proprietary secure boot mechanism and lock out future updates.


Is your monitor displaying the truth?

Reversing and exploiting ubiquitous on-screen display controllers in modern monitors.


Defeating secure boot

Defeating modern secure boot using second-order pulsed electromagnetic fault injection.


The team at Red Balloon have published seminal research papers in the fields of embedded security and established themselves as thought leaders in academic communities.

From prey to hunter: transforming legacy embedded devices into exploitation sensor grids.

Cui, Ang, Jatin Kataria, and Salvatore J. Stofo. In Proceedings of the 27th Annual Computer Security Applications Conference, pp. 393-402. ACM, 2011.

BADFET: defeating modern secure boot using second-order pulsed electromagnetic fault injection.

Cui, Ang, and Rick Housley. In 11th USENIX Workshop on Offensive Technologies (WOOT 17). USENIX Association, vol. 180. 2017.

Utilizing electromagnetic emanations for out-of-band detection of unknown attack code in a programmable logic controller.

Boggs, Nathaniel, Jimmy C. Chau, and Ang Cui. Cyber Sensing 2018. Vol. 10630. International Society for Optics and Photonics, 2018.

Copyright 2018 Society of Photo-Optical Instrumentation Engineers. One print or electronic copy may be made for personal use only. Systematic reproduction and distribution, duplication of any material in this paper for a fee or for commercial purposes, or modification of the content of the paper are prohibited.

Automotive Exploitation Sandbox: A Hands-on Educational Introduction to Embedded Device Exploitation.

Boggs, Nathaniel; Cui, Ang; Kataria, Jatin; Laulheret, Philippe. escar USA: Embedded Security in Cars. 2018.

Symbiotes and defensive mutualism: Moving target defense.

Cui, Ang, and Salvatore J. Stolfo. In Moving target defense, pp. 99-108. Springer, New York, NY, 2011.

Concurrency Attacks.

Yang, Junfeng, Ang Cui, Salvatore J. Stolfo, and Simha Sethumadhavan. HotPar 12 (2012): 15.


Broadcom MediaxChange Vulnerability Affecting Cisco Products: July 2021

A vulnerability in the TrustZone implementation in certain Broadcom MediaxChange firmware allowing access to the bootshell via special impulses on the chipset and then exploitation resulting in arbitrary code execution and privilege escalation.

HTTP parsing and bounds checking error vulnerability in Siemens PCX controllers: Sept 2021

Researchers demonstrated that a ROP chain attack could be used to execute arbitrary code.

Other Disclosures

Other vulnerability disclosures from the Red Balloon Security team.