Posts

Here is Tommaso Sacchetti demonstrating the BLERP peripheral impersonation attack against a vulnerable Android 13 build (2024). In this setup, an attacker in proximity impersonates a trusted mouse, triggers an unauthenticated re-pairing, and takes over the input channel.

Last summer, Marco Casagrande and I talked about E-Trojans: Ransomware, Tracking, DoS, and Data Leaks on Xiaomi Electric Scooters at Black Hat USA 2025. Our presentation is online:

The call for submission for the first edition of the DCS-CI conference is online. The Design of Cyber-Secure Critical Infrastructure (DCS-CI) 26 conference invites researchers, practitioners, and thought leaders to submit original work that advances our collective understanding of how to design, deploy, and maintain secure critical infrastructure systems.

I am excited to chair the WiSec Demo and Poster session. Please submit your great posters and demos via this HotCRP instance! All poster titles must be prefixed with POSTER: and all demo titles with DEMO:.

In mid 2024, Tom and I looked at BLE re-pairing, an underlooked attack surface. We uncovered four critical re-pairing attacks and design-level vulnerabilities that allow device impersonation and MitM of arbitrary devices in BLE range.

The DEF CON 33 Hackers’ Almanack just dropped. We would like to thank Paul Chang and their team for featuring CTRAPS in the Right to Repair section. Read and share the Almanack!

Marco and I talked about CTRAPS with Stephen Sims from Off By One Security about CTRAPS: CTAP Impersonation and API Confusion on FIDO2. Thank you Stephen and Randall for inviting us and keep up with the awesome content in your YouTube channel!

This week we presented at IEEE Euro S&P'25 CTRAPS: CTAP Impersonation and API Confusion on FIDO2, a paper about the security and privacy of FIDO2, a widespread standard used for single-factor and multi-factor authentication.

Mathy Vanhoef and I are co-chairing NDSS'26 Artifact Evaluation (AE). We are looking for motivated PhD and Postdocs to self-nominate themselves for the NDSS'26 Artifact Evaluation Committee (AEC). Joining it would offer them practical experience and may ease developing artifact submissions for their papers.

Alfred Menezes has published a fantastic online course on real-world cryptography called Crypto 101: Real-World Deployments. It is an honor to be featured in the Bluetooth Security Lecture (Lecture 4) which talks about the KNOB attack.