Skip navigation

If the world is run by little ones and zeroes and little bits of data, the Duo Labs team are the mad scientists putting ‘em to work. Not only do we have our customers’ backs by serving up deep knowledge, we’re also dedicated to protecting the Internet more generally by identifying and fixing vulnerabilities on a broader scale. What does that look like? We build, we break, we reason. Our work spans the breadth of product prototyping, Internet scale research and analysis, vulnerability research and exploit development, and applications of data science and machine learning to address security problems. As a group our core goals are to Disrupt, to Derisk, and to Democratise complex security topics and to share our innovations in ways that make the greatest possible impact.

Research Projects

  • Label Legend

  • paper
  • website
  • app
  • github
  • video

The Administrator's Guide to Passwordless

Learn all you need to know to determine for yourself why passwordless authentication can be more secure & usable than today’s leading authentication systems.

Data Companies Are Watching Me

Discover what happened when our engineer requested his data from location data brokers & learn why existing processes don't work for the average person.

Balancing Privacy and Security: Google Apple Contact Tracing

Learn how Google & Apple’s Exposure Notification API works & the security considerations that make it good for preserving user privacy & stopping bad actors.

The Invisible World of Near-Infrared Authentication

Duo Labs investigates how infrared imaging is used for authentication in facial recognition and vein scanning technologies.

TEMPEST@Home - Finding Radio Frequency Side Channels

An introductory guide to finding radio frequency side channels for data exfiltration.

The Good and Bad of Biometrics

Explore what properties of biometrics make them good or bad at defending against one threat but not another, then take a deeper look at specific technologies.

Security Researchers Partner With Chrome To Take Down Browser Extension Fraud Network Affecting Millions of Users

Duo Labs’ CRXcavator tool used to uncover and remove a large scale campaign of malvertising Chrome extensions.

Gamifying Data Science Education

Learn about how Duo’s data science team used gamification to teach data analysis skills in an interactive workshop.

Chain of Fools: An Exploration of Certificate Chain Validation Mishaps

Explore what can go wrong for developers when bad cryptographic advice on the internet turns into common implementations.

How to Monitor GitHub for Secrets

Learn about the problem of sensitive info getting published on version control systems and discover multiple ways to monitor GitHub for secrets.

Deciphering the Messages of Apple’s T2 Coprocessor

Learn about the communication channel between macOS & the new T2 secure boot chip. We illuminate the XPC messaging protocol & provide tools to explore yourself.

Anatomy of Twitter Bots: Amplification Bots

Duo Labs study on amplification bots: what they are and how they operate.

Secure Boot in the Era of the T2

An in-depth look at the new secure boot feature found in T2 enabled Apple devices.

MDM Me Maybe: Device Enrollment Program Security

Discover how an authentication weakness in Apple’s Device Enrollment Program can be used to leak information and potentially enroll rogue devices in MDM servers.

Labs Presents: What's Happening With RFID Blocking Gear?

With all the reports about criminals lifting information off credit cards, access cards, and even passports, does it make sense to buy one of those RFID-blocking sleeves and wallets? Duo Labs finds...

Don't @ Me: Hunting Twitter Bots at Scale

Duo Labs releases their results of a three-month long research project on identifying Twitter bots and botnets at a large scale ahead of their talk at Black Hat USA 2018, along with plans to...

The Apple of Your EFI: Mac Firmware Security Research

The security research team at Duo known as Duo Labs has published a research paper on Apple’s EFI firmware security - learn more about their findings and recommendations, including a link to...

Beyond S3: Exposed Resources on AWS

It's not just S3 buckets that are exposed. Duo's security research team found a number of other publicly available Amazon Web Services (AWS) resources, including cloud backup and misconfigured...

Apple iMac Pro and Secure Storage

Duo's security team explores how the T2 coprocessor is being used by Apple and how it fits into the larger system security model, as well as how this may evolve in the future.

Microcontroller Firmware Recovery Using Invasive Analysis

Duo Labs security researchers show how to bypass microcontroller interfaces used for internet of things (IoT) devices. Learn more.

Reversing Objective-C Binaries With the REobjc Module for IDA Pro

Duo Labs performed an analysis of Objective-C binaries running on managed macOS endpoints in enterprise environments, using the Interactive Disassembler (IDA Pro) to perform disassembly and...

How Popular Web Services Handle Account Recovery

An examination of 12 popular web services show distinct differences in how different providers implement account recovery. They all have different options, but Facebook and GitHub offers some of...

Bluetooth and Personal Protection Device Security Analysis

The Duo Labs team analyzes the Bluetooth security of several different personal protection devices to shed light on how secure these devices are, and if they can be tracked remotely or reveal...

Understanding Bluetooth Security

When it comes to Internet of Things (IoT) security research, you may run into roadblocks examining Bluetooth pairing and encryption between older devices and new ones - this blog post explains what...

Examining Personal Protection Devices: Hardware and Firmware Research Methodology in Action

In a technical paper released today, Duo Labs details research into two personal protection devices based on ARM Cortex M microcontrollers. These devices allow wearers to notify people of their...

State of the Auth: Experiences and Perceptions of Multi-Factor Authentication

Duo Labs conducted a U.S.-census-representative survey to learn more about two-factor authentication (2FA) usage, how people learned about it, which technologies they’ve used as as a second factor,...

Phish in a Barrel: Hunting and Analyzing Phishing Kits at Scale

In a technical paper released today, Duo Labs details the results of a month-long experiment in which we hunted and analyzed over 3,200 unique phishing kits.

Bluetooth Hacking Tools Comparison

The Duo Labs security research team compares the features and capabilities of several Bluetooth scanners and software to best assist you in your security and IoT research.

Hunting Malicious npm Packages

Duo Labs analyzes npm packages and how attackers can use malicious packages to gain access to and control over systems.

New Open-Source Phishing Tools: IsThisLegit and Phinn

We're excited to announce two new open-source tools designed to help administrators prevent, manage, and respond to phishing attacks against their organization - IsThisLegit and Phinn.

Bug Hunting: Drilling Into the Internet of Things

In his latest bit of odd research, Duo Labs' Mark Loveless takes a closer look at IoT as he pulls apart a wireless drill, bit by bit.

Driving Headless Chrome With Python

Back in April, Google announced that it will be shipping Headless Chrome in Chrome 59. Since the respective flags are already available on Chrome Canary, the Duo Labs team thought it would be fun...

Flipping Bits and Opening Doors: Reverse Engineering the Linear Wireless Security DX Protocol

Here we explore the implementation of a legacy, but still actively marketed, wireless physical security system as well as how it undermines more advanced security controls. Several vulnerabilities...

HTTP/2 Peach Pit for Microsoft Edge

This peach pit implements the HTTP/2 protocol RFC-7540 and is targetted at Microsoft Edge. It has been run through about 150,000 iterations and traffic samples within this release were generated...

Duo in Space

This summer during DEF CON 24, Duo traveled to the Mojave Desert to launch a tricked-out weather balloon in pursuit of the first two-factor authentication push from the boundary of space. Find out...

Out-of-Box Exploitation: A Security Analysis of OEM Updaters

Shovelware, crapware, bloatware, “value added” - it goes by a lot of names - whatever you call it, most of it is junk (please, OEMs, make it stop). The worst part is that OEM software is making us...

Bring Your Own Dilemma: OEM Laptops and Windows 10 Security

Security research team, Duo Labs, dissects OEM laptops to find out how secure they are - learn more about the privacy and security issues they found with laptop default settings, data collection...

X-Ray 2.0: Vulnerability Detection for Android Devices

X-Ray is an app anyone can download that safely scans for vulnerabilities on your Android phone or tablet, allowing you to assess your current mobile security risk.

Dude, You Got Dell’d: Publishing Your Privates

Recently, Duo Labs security researchers found a few sketchy certificates on a Dell Inspiron 14 laptop we purchased last week to conduct a larger research project. And we weren’t the only ones - a...

WoW64 and So Can You

Today, the Duo Labs team is publishing a research paper on the limitations of Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) when applied to processes running under WoW64. Time and time...

History of Vulnerability Disclosure

Explore some of the more notable vulnerability disclosure moments in infosec history, all in one timeline for your reference.

BACKRONYM MySQL Vulnerability

A new and serious vulnerability has been identified in a popular software library. How do we know it's serious? Because the vulnerability has a clever name, sweet logo, and as much hype as we can...

Did I get Adobed?

We’ve set up a site where you can check the leaked Adobe data for affected users in your organization. If you haven’t already, it would be a good idea to reset the passwords for any affected users,...

PayPal 2FA Bypass

Duo Security Researchers Uncover Bypass of PayPal’s Two-Factor Authentication

ReKey for Android

Earlier this month, RFP from BlueBox published a sneak preview of his upcoming BlackHat talk, detailing a vulnerability in the Android platform that affects nearly all Android devices. Soon after,...

Google Two-Factor Bypass

An attacker can bypass Google's two-step login verification, reset a user's master password, and otherwise gain full account control, simply by capturing a user's application-specific password (ASP).

VPN Hunter

VPN Hunter is a service that discovers and classifies the VPNs and other remote access services of any organization. Given their nature, remote access services inherently must hang off the public...

Did I Get Gawkered?

If you're an administrator who runs a website or service where your users are logging in with only a password, now is the time to beef up your security with some strong two-factor authentication....

Tech Talks

What else is Duo Labs thinking about? Find out at our Tech Talks, where our security researchers give the inside scoop on their latest projects and host experts from across the industry showcasing their own cutting-edge work.

See All Tech Talks

Duo Labs on Github

View Projects

Duo Labs on Twitter

Follow us
folded mesh abstract computer generated illustration.