Recent Publications

More Publications

Google’s Nearby Connections API enables any Android (and Android Things) application to provide proximity-based services to its …

Anomaly detection for industrial control systems (ICS) can leverage process data to detect malicious derivations from expected process …

Our work considers the challenges related to education and research about the security of industrial control systems (ICS). We propose …

In this work, we compare the performance of a passive eavesdropper in 802.11b/n/ac WLAN networks. In particular, we investigate the …

Industrial Control Systems (ICS) commonly rely on unencrypted and unauthenticated communication between devices such as Programmable …

In this work, we address the problem of designing and implementing honeypots for Industrial Control Systems (ICS). Honeypots are …

In recent years, tremendous effort has been spent to modernizing communication infrastructure in Cyber-Physical Systems (CPS) such as …

Selected Publications

Google’s Nearby Connections API enables any Android (and Android Things) application to provide proximity-based services to its users, regardless of their network connectivity. The API uses Bluetooth BR/EDR, Bluetooth LE and Wi-Fi to let “nearby” clients (discoverers) and servers (advertisers) connect and exchange different types of payloads. The implementation of the API is proprietary, closed-source and obfuscated. The updates of the API are automatically installed by Google across different versions of Android, without user interaction. Little is known publicly about the security guarantees offered by the API, even though it presents a significant attack surface. In this work we present the first security analysis of the Google’s Nearby Connections API, based on reverse-engineering of its Android implementation. We discover and implement several attacks grouped into two families: connection manipulation (CMA) and range extension attacks (REA). CMA-attacks allow an attacker to insert himself as a man-in-the-middle and manipulate connections (even unrelated to nearby), and to tamper with the victim’s interface and network configuration. REA-attacks allow an attacker to tunnel any nearby connection to remote locations, even between two honest devices. Our attacks are enabled by REArby, a toolkit we developed while reversing the API implementation. REArby includes a dynamic binary instrumenter, a packet dissector, and the implementations of custom Nearby Connections client and server. We plan to open- source REArby after a responsible disclosure period
NDSS, 2018

In recent years, tremendous effort has been spent to modernizing communication infrastructure in Cyber-Physical Systems (CPS) such as Industrial Control Systems (ICS) and related Supervisory Control and Data Acquisition (SCADA) systems. While a great amount of research has been conducted on network security of office and home networks, recently the security of CPS and related systems has gained increased attention. Unfortunately, real-world CPS are often not open to security researchers, and as a result very few reference physical-layer processes, control systems and communication topologies are available. In this work, we present MiniCPS, a toolkit intended to alleviate this problem. The goal of MiniCPS is to create an extensible, reproducible research environment for network communications, control systems, and physical-layer interactions in CPS. Instead of focusing on a customized simulation settings for specific subsystems, the main goal is to establish a framework to connect together real CPS soft- and hardware, simulation scripts for such components, and physical-layer simulation engines. MiniCPS builds on Mininet to provide lightweight real-time network emulation, and extends Mininet with tools to simulate typical CPS components such as programmable logic controllers, which use industrial protocols (eg. EtherNet/IP, Modbus/TCP). To capture physical-layer interactions, MiniCPS defines a simple API to connect to physical-layer simulations. We demonstrate applications of MiniCPS in two example scenarios, and show how MiniCPS can be used to develop attacks and defenses that are directly applicable to real systems.
CPS-SCP (co-located with ACM CCS), 2015

Recent Posts

More Posts

After the post about connecting to SUTD’s VPN is now time to connect eduroam! Again, SUTD’s IT support for (Arch) Linux at …

I’ve recently came across the problem of connecting to the SUTD VPN server from overseas. SUTD’s IT support for (Arch) …

Teaching

  • Summer 2018: TA Security Principles (SPR) MSc, University of Oxford UK, Prof K.B. Rasmussen
    • CIA, Authentication, Cryptography, RSA, Protocols
    • Exercises and presentation of Scyther
  • Fall 2017: TA 50.012 Networks BSc, SUTD Singapore, Prof N.O. Tippenhauer
    • TCP/IP, UDP, BGP, SDN, HTTP, REST, TLS, tunnels, NAT
    • Lab session, grading, office hours
  • Spring 2017: TA 50.020 Security BSc, SUTD Singapore, Prof N.O. Tippenhauer
    • CIA, Cryptography, Exploitation, TLS, CTF, Network Security
    • Lab session, grading, office hours
  • 2013-2015: Private teacher
    • Grad/undergrad: linear algebra, calculus, programming (C, Pascal)
    • High school: math, physics, programming (C++)
  • 2013: External Professor for High School Final Exams (Italy)
    • LAMP, SQL, PHP, JS, relational DB, MVC, HTTP(S)

Contact