Recent Articles

Europe is putting cybersecurity at risk: not by neglect, but by misunderstanding. The EU’s current approach to CVD treats vulnerability reporters like trespassers instead of allies, and confuses Coordinated Vulnerability Disclosure with bug bounty programmes. The result? Fewer reports and more silent vulnerabilities. If we want NIS2 and the CRA to be sucessful, we must fix this. Fast.

In just over a year, the first batch of CRA requirements will take effect: manufacturers will have to report actively exploited vulnerabilities contained in their products and severe incidents having an impact on the security of their products to ENISA, their member state, and the product’s users. But what exactly is the difference between exploited vulnerabilities and severe incidents?

After discovering a flaw in the login system of a major Belgian bank, I tried to report it through Belgium’s official vulnerability disclosure channels. Instead of support, I faced suspicion, bureaucracy, and resistance, from both the bank and the Centre for Cybersecurity Belgium. This post explores how Belgium’s CVD system is fundamentally broken, and what needs to change.

Academic paper @ ASIACCS 2024 — IoT devices interact with the physical world through sensing and actuation. Therefore, their presence introduces real privacy and safety risks. SA⁴P enables fine-grained control over which devices are allowed access to the physical world, and at what times. It also motivates developers to sense or actuate not more than needed.

Blog post @ Zühlke Insights — With the introduction of the CRA, the EU is the first government in the world to impose blanket cybersecurity requirements on all products. This post explains what products need to be CRA-compliant, what that entails, and how the CRA differs from NIS2.

Academic paper @ USENIX Security 2023 — Ideally, smart speakers should only be able to listen when they are spoken to (“Hey Siri!” ), but if so, how could they hear us call out to them? Kimya is a low-level framework that ensures that stand-by smart speakers cannot leak audio data and must forget what they heard immediately.

Academic paper @ ASIACCS 2022 — Hopper protects industrial networks by placing each device in its own virtual mini network. This minimizes an attacker’s ability to infect or hop between devices. We show how to achieve this without modifying the underlying network routes or structure. We include implementations on both general-purpose and embedded hardware.

Academic paper @ CRITIS 2021 — We analyze how and why today’s industrial network architectures and defenses are reaching their limits. We then introduce Tableau, thereby demonstrating the feasibility of alternative, modern, approaches.