Selected Publications

After discovering a flaw in the login system of a major Belgian bank, I tried to report it through Belgium’s official vulnerability disclosure channels. Instead of support, I faced suspicion, bureaucracy, and resistance, from both the bank and the Centre for Cybersecurity Belgium. This post explores how Belgium’s CVD system is fundamentally broken, and what needs to change.

Academic paper @ ASIACCS 2024 — IoT devices interact with the physical world through sensing and actuation. Therefore, their presence introduces real privacy and safety risks. SA⁴P enables fine-grained control over which devices are allowed access to the physical world, and at what times. It also motivates developers to sense or actuate not more than needed.

Blog post @ Zühlke Insights — With the introduction of the CRA, the EU is the first government in the world to impose blanket cybersecurity requirements on all products. This post explains what products need to be CRA-compliant, what that entails, and how the CRA differs from NIS2.

Academic paper @ USENIX Security 2023 — Ideally, smart speakers should only be able to listen when they are spoken to (“Hey Siri!” ), but if so, how could they hear us call out to them? Kimya is a low-level framework that ensures that stand-by smart speakers cannot leak audio data and must forget what they heard immediately.

Academic paper @ ASIACCS 2022 — Hopper protects industrial networks by placing each device in its own virtual mini network. This minimizes an attacker’s ability to infect or hop between devices. We show how to achieve this without modifying the underlying network routes or structure. We include implementations on both general-purpose and embedded hardware.

Academic paper @ CRITIS 2021 — We analyze how and why today’s industrial network architectures and defenses are reaching their limits. We then introduce Tableau, thereby demonstrating the feasibility of alternative, modern, approaches.