Recent Articles

CRA reporting obligations explained

12 September 2025·3 mins

In just over a year, the first batch of CRA requirements will take effect: manufacturers will have to report actively exploited vulnerabilities contained in their products and severe incidents having an impact on the security of their products to ENISA, their member state, and the product’s users. But what exactly is the difference between exploited vulnerabilities and severe incidents?

Belgian CVD is deeply broken

8 July 2025·18 mins

After discovering a flaw in the login system of a major Belgian bank, I tried to report it through Belgium’s official vulnerability disclosure channels. Instead of support, I faced suspicion, bureaucracy, and resistance, from both the bank and the Centre for Cybersecurity Belgium. This post explores how Belgium’s CVD system is fundamentally broken, and what needs to change.

The SA⁴P Framework: Sensing and Actuation as a Privilege ↗ ↖

1 June 2024

Academic paper @ ASIACCS 2024 — IoT devices interact with the physical world through sensing and actuation. Therefore, their presence introduces real privacy and safety risks. SA⁴P enables fine-grained control over which devices are allowed access to the physical world, and at what times. It also motivates developers to sense or actuate not more than needed.

Cyber Resilience Act: how the EU security regulation affects business ↗ ↖

29 May 2024

Blog post @ Zühlke Insights — With the introduction of the CRA, the EU is the first government in the world to impose blanket cybersecurity requirements on all products. This post explains what products need to be CRA-compliant, what that entails, and how the CRA differs from NIS2.

Hey Kimya, Is My Smart Speaker Spying on Me? Taking Control of Sensor Privacy Through Isolation and Amnesia ↗ ↖

9 August 2023

Academic paper @ USENIX Security 2023 — Ideally, smart speakers should only be able to listen when they are spoken to (“Hey Siri!” ), but if so, how could they hear us call out to them? Kimya is a low-level framework that ensures that stand-by smart speakers cannot leak audio data and must forget what they heard immediately.

Hopper: Per-Device Nano Segmentation for the Industrial IoT ↗ ↖

30 May 2022

Academic paper @ ASIACCS 2022 — Hopper protects industrial networks by placing each device in its own virtual mini network. This minimizes an attacker’s ability to infect or hop between devices. We show how to achieve this without modifying the underlying network routes or structure. We include implementations on both general-purpose and embedded hardware.

Tableau: Future-Proof Zoning for OT Networks ↗ ↖

27 September 2021

Academic paper @ CRITIS 2021 — We analyze how and why today’s industrial network architectures and defenses are reaching their limits. We then introduce Tableau, thereby demonstrating the feasibility of alternative, modern, approaches.