Mathy Vanhoef

I found some design and implementation flaws in Wi-Fi again. All Wi-Fi devices are affected. It was a long ~9 months embargo, over this time a lot of info has been collected and that info now available at fragattacks.com

New version of the IEEE 802.11 standard that underpins Wi-Fi was has been released. A total of 5969 pages! The number of pages clearly keeps increasing. That includes more features to defend networks, but also more features to potentially abuse.

Latest ranking of cybersecurity conferences and journals by Google Scholar - scholar.google.com/citations?view… All 13 cybersecurity conferences in the Google list are also in the list of top 15 - jianying.space/conference-ran… #cybersecurity, #ranking

Seriously considering just disabling our old forums (that were already in archived/read-only mode) entirely for good, the AI scrapers are completely out of control.

A Dutch bank (Triodos Bankieren NL) has added explicit support for GrapheneOS and will be testing it going forward: github.com/PrivSec-dev/ba… They join a growing number of banking apps actively permitting users to use a much more secure device instead of trying to ban it instead.

Turns out you can just hack any train in the USA and take control over the brakes. This is CVE-2025-1727 and it took me 12 years to get this published. This vulnerability is still not patched. Here's the story:

Chinese mobile OS platform, Harmony OS NEXT, was intended for a talk at BH on security but has been pulled for unspecified reasons.

The CFP for Black Hat Europe has already started! If you have research worth sharing, I invite you to submit before the deadline on August 11. I'm leading the Exploit Dev & Vulnerability Discovery track this year and can't wait to read your submissions! blackhat.com/call-for-paper…

Belgium universities typically like candidates with experience abroad. Doing a stay abroad could now imply paying extra taxes.

Huh, I didn't realize that the vibe-coded vulns inserted into 5 LTS kernels that still aren't fixed 22 days later haven't been fixed because the person who inserted them is busy telling everyone at a conference how great the AI he used to insert the vulns (that he didn't find) is

2-country author papers were the most successful in getting accepted at @NDSSSymposium 2025. No single-author paper accepted this year, but 10 papers from 2 authors and 2 papers from 11 authors. These and more statistics from NDSS’25 are available now: ndss-symposium.org/wp-content/upl…

Ideally all papers should publish their code. You can help realize this by applying to be an artifact reviewer at NDSS'26. You'll get to review artifacts of accepted papers. We especially encourage junior/senior PhD students & PostDocs to apply: docs.google.com/forms/d/e/1FAI…

Back in 1991, I joined a small startup as employee #6. The company was Data Fellows, and my role was to reverse-engineer viruses. Over time, Data Fellows became F-Secure and later split into F-Secure and WithSecure. For 34 years, I’ve been fighting malware.

Employee page is saying "Avoid long email signatures—each email contributes to CO₂ emissions, especially those with images". 🙃

All papers should publish their code. Help realize this by becoming an artifact reviewer at NDSS'26. You'll get to review artifacts of accepted top papers. We especially encourage junior/senior PhD students & PostDocs to help. Awards will be given to distinguished reviewers.