Posts

CTRAPS at Euro S&P'25 and DEF CON 33

This week we presented at IEEE Euro S&P'25 CTRAPS: CTAP Impersonation and API Confusion on FIDO2, a paper about the security and privacy of FIDO2, a widespread standard used for single-factor and multi-factor authentication. We focus on the Client to Authenticator Protocol (CTAP), an application layer protocol spoken by a FIDO2 authenticator (e.g., a YubiKey) and a client (e.g., a smartphone or a laptop). We uncover seven CTAP design issues in the FIDO2 standard, including the lack of Client to Authenticator authentication, and eleven related new attacks we call CTRAPS.

Jul 4, 2025 2 min read
NDSS'26 Artifact Evaluation Comitee Self-Nomination

Mathy Vanhoef and I are co-chairing NDSS'26 Artifact Evaluation (AE).

We are looking for motivated PhD and Postdocs to self-nominate themselves for the NDSS'26 Artifact Evaluation Committee (AEC). Joining it would offer them practical experience and may ease developing artifact submissions for their papers.

Jun 13, 2025 1 min read
KNOB Attack and Crypto 101 by Alfred Menezes

Alfred Menezes has published a fantastic online course on real-world cryptography called Crypto 101: Real-World Deployments.

It is an honor to be featured in the Bluetooth Security Lecture (Lecture 4) which talks about the KNOB attack.

Apr 1, 2025 1 min read
CFP: ACSW 2025

The call for papers for the 4th Workshop on Automotive Cyber Security (ACSW) co-located with IEEE EuroS&P 2025 is closing today, Feb 3rd AoE. Please submit your automotive security work!
Feb 3, 2025 1 min read
The AttackDefense Framework (ADF)

We release the AttackDefense Framework (ADF), a threat modeling framework for IoT devices and their life cycles. The ADF employs a flexible and generic threat data structure called the AttackDefense (AD) object. An AD can model attack and defense aspects, like attack vectors, surfaces, models and defense policies and mechanisms, at the same time.
Dec 17, 2024 1 min read
FP-tracer PETS'24 Paper and Artifact

Modern websites use attribute-based browser fingerprinting to track us(ers) using our browser’s JavaScript API. They can track us without cookies, and regardless of what we click on websites’ consent banners.
Jul 1, 2024 1 min read
E-Spoofer and BLUFFS Talks at THCON'24

Salut, Marco Casagrande will talk about E-Spoofer and I will talk about BLUFFS at the 2024 Toulouse Hacking Convention (THCON)! Both research works are funded by the ORSHIN Horizon Europe research grant.

  • E-Spoofer talk: 4th April 2024, 10:15-10:45
  • BLUFFS talk: 4th April 2024, 11:15-10:45
  • Where: Marthe Condat auditorium, Paul Sabatier University, Toulouse
  • THCON program

See you in Toulouse 🇫🇷 at THCON'24

Mar 13, 2024 1 min read
Recorded BLUFFS Talk at 37c3

YouTube

Media CCC

More

here.

Dec 30, 2023 1 min read
BLUFFS Talk at 37c3

See you in Hamburg 🇩🇪 at 37c3

Schedule

Dec 22, 2023 1 min read
BLUFFS: Bluetooth Forward and Future Secrecy Attacks and Defenses

Breaking and fixing the Bluetooth standard. One More Time.

One More Time

Nov 27, 2023 1 min read