Skip navigation

If the world is run by little ones and zeroes and little bits of data, the Duo Labs team are the mad scientists putting ‘em to work. Not only do we have our customers’ backs by serving up deep knowledge, we’re also dedicated to protecting the Internet more generally by identifying and fixing vulnerabilities on a broader scale. What does that look like? We build, we break, we reason. Our work spans the breadth of product prototyping, Internet scale research and analysis, vulnerability research and exploit development, and applications of data science and machine learning to address security problems. As a group our core goals are to Disrupt, to Derisk, and to Democratise complex security topics and to share our innovations in ways that make the greatest possible impact.

Research Projects

  • Label Legend

  • paper
  • website
  • app
  • github
  • video

The Apple of Your EFI: Mac Firmware Security Research

The security research team at Duo known as Duo Labs has published a research paper on Apple’s EFI firmware security - learn more about their findings and recommendations, including a link to...

Microcontroller Firmware Recovery Using Invasive Analysis

Duo Labs security researchers show how to bypass microcontroller interfaces used for internet of things (IoT) devices - these invasive attacks require physical access to typical microcontrollers.

Flipping Bits and Opening Doors: Reverse Engineering the Linear Wireless Security DX Protocol

Here we explore the implementation of a legacy, but still actively marketed, wireless physical security system as well as how it undermines more advanced security controls. Several vulnerabilities...

HTTP/2 Peach Pit for Microsoft Edge

This peach pit implements the HTTP/2 protocol RFC-7540 and is targetted at Microsoft Edge. It has been run through about 150,000 iterations and traffic samples within this release were generated...

Duo in Space

This summer during DEF CON 24, Duo traveled to the Mojave Desert to launch a tricked-out weather balloon in pursuit of the first two-factor authentication push from the boundary of space. Find out...

Out-of-Box Exploitation: A Security Analysis of OEM Updaters

Shovelware, crapware, bloatware, “value added” - it goes by a lot of names - whatever you call it, most of it is junk (please, OEMs, make it stop). The worst part is that OEM software is making us...

X-Ray 2.0: Vulnerability Detection for Android Devices

X-Ray is an app anyone can download that safely scans for vulnerabilities on your Android phone or tablet, allowing you to assess your current mobile security risk.

Dude, You Got Dell’d: Publishing Your Privates

Recently, Duo Labs security researchers found a few sketchy certificates on a Dell Inspiron 14 laptop we purchased last week to conduct a larger research project. And we weren’t the only ones - a...

WoW64 and So Can You

Today, the Duo Labs team is publishing a research paper on the limitations of Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) when applied to processes running under WoW64. Time and time...

BACKRONYM MySQL Vulnerability

A new and serious vulnerability has been identified in a popular software library. How do we know it's serious? Because the vulnerability has a clever name, sweet logo, and as much hype as we can...

Did I get Adobed?

We’ve set up a site where you can check the leaked Adobe data for affected users in your organization. If you haven’t already, it would be a good idea to reset the passwords for any affected users,...

PayPal 2FA Bypass

Duo Security Researchers Uncover Bypass of PayPal’s Two-Factor Authentication

ReKey for Android

Earlier this month, RFP from BlueBox published a sneak preview of his upcoming BlackHat talk, detailing a vulnerability in the Android platform that affects nearly all Android devices. Soon after,...

Google Two-Factor Bypass

An attacker can bypass Google's two-step login verification, reset a user's master password, and otherwise gain full account control, simply by capturing a user's application-specific password (ASP).

VPN Hunter

VPN Hunter is a service that discovers and classifies the VPNs and other remote access services of any organization. Given their nature, remote access services inherently must hang off the public...

Did I Get Gawkered?

If you're an administrator who runs a website or service where your users are logging in with only a password, now is the time to beef up your security with some strong two-factor authentication....

Tech Talks

What else is Duo Labs thinking about? Find out at our Tech Talks, where our security researchers give the inside scoop on their latest projects and host experts from across the industry showcasing their own cutting-edge work.

See All Tech Talks

Duo Labs on Twitter

Follow us @duo_labs

Our Team

Do you like tinkering with tech and deconstructing it for discovery’s sake? Think security can make a serious impact but you don’t take yourself too seriously? Want to work on wild, unthinkable ideas? You might be the right match for Duo Labs’ band of misfits. Visit the Duo careers page to see how we’re looking to grow our team.

Olabode Anise
Olabode Anise
James Barclay
James Barclay
Pepijn Bruienne
Pepijn Bruienne
Ernest Chan
Ernest Chan
Mikhail Davidov
Mikhail Davidov
Adam Goodman
Adam Goodman
Mike Hanley
Mike Hanley
Brian Lindauer
Brian Lindauer
Mark Loveless
Mark Loveless
Todd Manning
Todd Manning
Steve Manzuik
Steve Manzuik
Edward Marczak
Edward Marczak
Stefano Meschiari
Stefano Meschiari
Jon Oberheide
Jon Oberheide
Rich Smith
Rich Smith
Nick Steele
Nick Steele
Bronwyn Woods
Bronwyn Woods
Jordan Wright
Jordan Wright
folded mesh abstract computer generated illustration.