Publications

J. Robben and M. Vanhoef. Netfuzzlib: Adding First-Class Fuzzing Support to Network Protocol Implementations. To appear in the Proceedings of the European Symposium on Research in Computer Security (ESORICS), 2024.

M. Vanhoef and J. Robben. A Security Analysis of WPA3-PK: Implementation and Precomputation Attacks. At the Proceedings of the 22nd International Conference on Applied Cryptography and Network Security (ACNS), 2024.

V. Vanderlinden, T. Van Goethem, and M. Vanhoef. Time Will Tell: Exploiting Timing Leaks Using HTTP Response Headers. In Proceedings of the European Symposium on Research in Computer Security (ESORICS), 2023.

N. Xue, Y. Malla, Z. Xia, C. Pöpper, and M. Vanhoef. Bypassing Tunnels: Leaking VPN Client Traffic by Abusing Routing Tables. USENIX Security Symposium, 2023.

V. Vanderlinden, W. Joosen, and M. Vanhoef. Can You Tell Me the Time? Security Implications of the Server-Timing Header. In Proceedings of the Workshop on Measurements, Attacks, and Defenses for the Web (MADWeb), co-located with NDSS, 2023. Won the best paper award!

M. Vanhoef, X. Jiao, W. Liu, and I. Moerman. Testing and Improving the Correctness of Wi-Fi Frame Injection. In Proceedings of the 16th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec), 2023.

D. Schepers, A. Ranganathan, and M. Vanhoef. Framing Frames: Bypassing Wi-Fi Encryption by Manipulating Transmit Queues. USENIX Security Symposium, 2023.

C. M. Stone, S. L. Thomas, M. Vanhoef, J. Henderson, N. Bailluet, and T. Chothia. The Closer You Look, The More You Learn: A Grey-box Approach to Protocol State Machine Learning. In Proceedings of the 29th ACM Conference on Computer and Communication Security (CCS 2022).

D. Schepers, A. Ranganathan, and M. Vanhoef. On the Robustness of Wi-Fi Deauthentication Countermeasures. In Proceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec), 2022.

M. Vanhoef. A Time-Memory Trade-Off Attack on WPA3's SAE-PK. In Proceedings of the 9th ASIA Public-Key Cryptography Workshop (APKC), 2022.

C. M. Stone, S. L. Thomas, M. Vanhoef, J. Henderson, N. Bailluet, and T. Chothia. The Closer You Look, The More You Learn: A Grey-box Approach to Protocol State Machine Learning. arXiv:2106.02623, 2021.

D. Schepers, A. Ranganathan, and M. Vanhoef. Let Numbers Tell the Tale: Measuring Security Trends in Wi-Fi Networks and Best Practices. In Proceedings of the 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec), 2021.

D. Schepers, M. Vanhoef, and A. Ranganathan. DEMO: A Framework to Test and Fuzz Wi-Fi Devices. In Proceedings of the 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec), 2021.

M. Vanhoef. Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation. In USENIX Security Symposium, 2021. See the fragattacks.com website for extra information.

T. Van Goethem, C. Pöpper, W. Joosens, and M. Vanhoef. Timeless Timing Attacks: Exploiting Concurrency to Leak Secrets over Remote Connections. In USENIX Security Symposium, 2020.

M. Vanhoef, P. Adhikari, and C. Pöpper. Protecting Wi-Fi Beacons from Outsider Forgeries. In 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec), 2020.

M. Vanhoef and E. Ronen. Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd. In Proceedings of the IEEE Symposium on Security & Privacy (SP '20). 2020. Won the Best Cryptographic Attack Award (Pwnie) at Black Hat USA!

D. Schepers and M. Vanhoef. Breaking WPA-TKIP Using Side-Channel Attacks. In Black Hat Briefings Europe, London, UK, 2019.

F. Goovaerts, G. Acar, R. Galvez, F. Piessens, and M. Vanhoef. Improving Privacy through Fast Passive Wi-Fi Scanning. In Proceedings of the 24th Nordic Workshop on Secure IT Systems (NordSec), 2019.

M. Vanhoef and E. Ronen. Dragonblood: Attacking the Dragonfly Handshake of WPA3. In Black Hat Briefings, USA, 2019.

D. Schepers, A. Ranganathan, and M. Vanhoef. Practical Side-Channel Attacks against WPA-TKIP. In Proceedings of the ACM Symposium on Information, Computer and Communications Security (ASIA CCS 2019), 2019.

M. Vanhoef and F. Piessens. Release the Kraken: New KRACKs in the 802.11 Standard. In Proceedings of the 25th ACM Conference on Computer and Communication Security (CCS 2018), Toronto, Canada.

M. Vanhoef and F. Piessens. Symbolic Execution of Security Protocol Implementations: Handling Cryptographic Primitives. In USENIX Workshop on Offensive Technology (USENIX WOOT), 2018.

M. Vanhoef, N. Bhandaru, T. Derham, I. Ouzieli, and F. Piessens. Operating Channel Validation: Preventing Multi-Channel Man-in-the-Middle Attacks Against Protected Wi-Fi Networks. In 11th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec), 2018. [SPEC]

M. Vanhoef. Key Reinstallation Attacks: Breaking the WPA2 Protocol. In Black Hat Briefings Europe, London, UK, 2017. [SLIDES, RESEARCH PAPER]

M. Vanhoef and F. Piessens. Denial-of-Service Attacks Against the 4-way Wi-Fi Handshake. In NeTCoM, 2017.

M. Vanhoef and F. Piessens. Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. In Proceedings of the 24th ACM Conference on Computer and Communication Security (CCS 2017), Dallas, USA, 30 October - 3 November 2017. Won the real-word impact award! [SLIDES]

M. Vanhoef. WiFuzz: Detecting and Exploiting Logical Flaws in the Wi-Fi Cryptographic Handshake. In Black Hat Briefings, USA, 2017. [SLIDES]

M. Vanhoef, D. Schepers, and F. Piessens. Discovering Logical Vulnerabilities in the Wi-Fi Handshake Using Model-Based Testing. In Proceedings of the 12th ACM Symposium on Information, Computer and Communications Security (ASIA CCS 2017), Abu Dhabi, United Arab Emirates, 2017. [PDF, SLIDES, SCRIPTS]

M. Vanhoef. A Security Analysis of the WPA-TKIP and TLS Security Protocols. PhD dissertation, KU Leuven, July 2016. PhD thesis, accepted summa cum laude. [SLIDES]

M. Vanhoef and F. Piessens. Predicting, Decrypting, and Abusing WPA2/802.11 Group Keys. In USENIX Security Symposium, 2016. [SLIDES, CODE]

T. Van Goethem, M. Vanhoef, F. Piessens, and W. Joosens. Request and Conquer: Exposing Cross-Origin Resource Size. In USENIX Security Symposium, 2016.

M. Vanhoef and T. Van Goethem. HEIST: HTTP Encrypted Information can be Stolen through TCP-windows. In Black Hat Briefings, USA, 2016. [SLIDES]

C. Matte, M. Cunche, F. Rousseau, and M. Vanhoef. Defeating MAC Address Randomization Through Timing Attacks. In 9th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec), 2016.

M. Vanhoef, C. Matte, M. Cunche, L. S. Cardoso, and F. Piessens. Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms. In Proceedings of the 11th ACM Symposium on Information, Computer and Communications Security (ASIA CCS 2016), Xi'an, China, 2016.

M. Vanhoef. A Case For Open Radio Software. Included in a comment submitted to the Federal Register regarding proposed software security rules for radio devices. You can view the formal comment addressing the FCC here.

M. Vanhoef and F. Piessens. All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS. In USENIX Security Symposium, 2015. Won the best student paper award! See www.rc4nomore.com for more info. [SITE, PDF, LIRIAS]

M. Vanhoef and F. Piessens. Advanced WiFi Attacks Using Commodity Hardware. In Annual Computer Security Applications Conference (ACSAC), 2014. [PDF, BIBTEX, LIRIAS, CODE]

W. De Groef, D. Devriese, M. Vanhoef, and F. Piessens, Information flow control for web scripts. In Lecture Notes in Computer Science, volume 8604, 2014. [PDF, BIBTEX, LIRIAS]

M. Vanhoef, W. De Groef, D. Devriese, F. Piessens, and T. Rezk. Stateful Declassification Policies for Event-Driven Programs. In 27th Computer Security Foundations Symposium (CSF 2014), Vienna, Austria, 2014. [PDF, BIBTEX, LIRIAS, FlowFox]

M. Vanhoef and F. Piessens. Practical Verification of WPA-TKIP Vulnerabilities. In Proceedings of the 8th ACM Symposium on Information, Computer and Communications Security (ASIA CCS 2013), Hangzhou, China, 2013. [PDF, BIBTEX, LIRIAS]

M. Vanhoef. Privacy in Databases. Master Thesis, Hasselt University, 2012. Under supervision of Jan Van den Bussche.

Presentations


TunnelCrack: Leaking VPN Traffic by Manipulating Routing Tables, given at Black Hat Europe, London, UK, 6 December 2023.

Breaking & Disrupting WPA2/3 Networks by Abusing Sleep Mode, given at BruCON, Mechelen, Belgium, 29 September 2023.

Framing Frames: Bypassing Wi-Fi Encryption by Manipulating Transmit Queues, given by invitation at the CRYPTO Workshop on Attacks (WAC6), 20 August 2023, Santa Barbara, US (talk by Aanjhan).

Bypassing Tunnels: Leaking VPN Client Traffic by Abusing Routing Tables, given at USENIX Security, Anaheim, USA, 11 August 2023.
 
Recent Wi-Fi attacks & defenses: general lessons learned & open problems, given at the Summer School: Cyber in Sophia Antipolis (8th edition), Nice, France, July 5, 2026.
 
Testing and Improving the Correctness of Wi Fi Frame Injection, given at WiSec, United Kingdom, May 31, 2023.
 
 
Framing Frames: Bypassing Wi-Fi Encryption by Manipulating Transmit Queues, given at Real-World-Crypto (RWC), Tokyo, Japan, on 27 March, 2023.
 
Leaking & Injecting Wi-Fi Traffic and the Ethics of Surveying Networks, given at New York University (NYU) Abu Dhabi on 23 March, 2023.
 
Detecting Wi-Fi Networks Vulnerable to FragAttacks: Feasible, but also Ethical?, given at TU Graz on 3 February, 2023.
 
Detecting Wi-Fi Networks Vulnerable to FragAttacks: Feasible, but also Ethical?, given at Northeastern University on 13 January, 2023.

Fuzzing Network Protocol Implementations, given at the Summer School on Security Testing and Verification as an invited speaker, 20 September 2022, Leuven, Belgium.

Attacking WPA3: New Vulnerabilities & Exploit Framework, given at HITBSecConf Singapore on August 25, 2022.

Analysis of Protected Management Frames and WPA3's SAE-PK, given at the CRYPTO Workshop on Attacks (WAC5) as an invited speaker, 14 August 2022, Santa Barbara, US (talk given online).
 
Bypassing Internet and Rate Limits by Committing SYNs, given a TyphoonCon, 23 June, 2022, Seoul, South Korea.

Recent Wi-Fi attacks and defenses: general lessons learned and open problems, given at the Summer School on real-world crypto and privacy as an invited speaker, 17 June 2022, Šibenik, Croatia.
 
FragAttacks: Recent Flaws in WPA2/3 and New Defenses, given at GISEC, March 21-23, 2022, Dubai, UAE.
 
Exploiting WPA3 Networks: New Vulnerabilities and Defenses, given at PoC 2021, November 11-12, 2021, Virtual.

Wireless network security: recent advancements and open challenges, given at Ericsson, 9 September 2021, Virtual.
 
Fragment and Forge: Fragmentation and Aggregation Flaws in Wi-Fi, given at the CRYPTO Workshop on Attacks (WAC4), 15 August 2021, Santa Barbara, US (recorded talk).
 
Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation, given at USENIX Security, 11 August 2021, Virtual.
 
Timeless Timing Attacks, given at DEF CON, 5-8 August 2021, Virtual.

FragAttacks: Breaking Wi-Fi Through Frame Aggregation and Fragmentation, given at Black Hat US, 4-5 August 2021, Virtual.
 
Timeless Timing Attacks, given at Black Hat US, 4-5 August 2021, Virtual.
 
Wireless network security: recent advancements and open challenges, given at DRADS, 13 July 2021, Belgium (Virtual).
 
Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation, given at ETH Zurich, 10 June 2021, Virtual.

Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation, given at Tel Aviv University, 26 May 2021, Virtual.

Abusing Wi-Fi Beacons and Detecting & Preventing Attacks, given as a Black Hat WebCast, September 17, 2020.
 
Protecting WiFi Beacons from Outside Forgeries, given at DEF CON Safe Mode Red Team Village, 18 August 2020, Virtual Event.

Protecting Wi-Fi Beacons from Outsider Forgeries, given at WiSec, 9 July 2020, Linz, Austria (Virtual Event).
 
Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd, given at the Real World Crypto conference at New York. 10 January 2020.

Dragonblood: Attacking the Dragonfly Handshake of WPA3 and EAP-pwd, given at New York University, New York. 7 January 2020.

Dragonblood: Attacking the Dragonfly Handshake of WPA3 and EAP-pwd, given at UHasselt, Belgium. 12 December 2019.

Dragonblood: Weaknesses in WPA3’s Dragonfly Handshake, given at BruCON on 11 October 2019, Belgium.

Dragonblood: A Security Analysis of WPA3’s SAE Handshake, given at the CRYPTO Workshop on Attacks (WAC) as an invited speaker, 17 August 2019, Santa Barbara, US.

Dragonblood: Attacking the Dragonfly Handshake of WPA3, given at Black Hat Briefings 2019, Las Vegas, Nevada. Won the Pwnie Award for best cryptographic attack!

Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd, given at the Applied Networking Research Workshop (ANRW) as an invited speaker on 22 July 2019, Montreal, Canada.

Rooting Routers Using Symbolic Execution (updated talk), given at OPCDE on 20 April 2019, Dubai, UAE.

Rooting Routers Using Symbolic Execution, given at IT-Defense on 7 February 2019, Stuttgart, Germany.

Rooting Routers Using  Symbolic Execution, given at HITB DXB on 27 November 2018, Dubai, UAE.

Release the Kraken: new KRACKs in the 802.11 Standard, given at CCS'18 on 16 October 2018, Toronto, Canada.

Advanced Wi-Fi Attacks Using Commodity Hardware (updated talk), given at BruCON on 3 October 2018, Belgium.

KRACKing WPA2 and Mitigating Future Attacks, given at NYU Abu Dhabi on 26 August 2018, Abu Dhabi, UAE.

KRACKing WPA2 and Mitigating Future Attacks, given at the CRYPTO Workshop on Attacks (WAC) as an invited speaker, 18 August 2018, Santa Barbara, US.

Symbolic Execution of Security Protocol Implementations: Handling Cryptographic Primitives, given at USENIX WOOT, 14 August 2018, Baltimore, US.

KRACKing WPA2 by Forcing Nonce Reuse, given at HackPra, Ruhr-Universität Bochum, 18 July 2018, Germany.

KRACKing WPA2 by Forcing Nonce Reuse, given at Chalmers University, 21 June 2018, Sweden.

Operating Channel Validation: Preventing Multi-Channel Man-in-the-Middle Attacks Against Protected Wi-Fi Networks, given at WiSec, 18 June 2018, Stockholm, Sweden.

How WPA2 got KRACKed using Key Reinstallation Attacks, given at ITF, 24 may 2018, Belgium.

KRACKing WPA2 using Key Reinstallation Attacks, given at SWIFT, 17 may 2018, Belgium.

Improved KRACK Attacks Against WPA2 Implementations, given at OPCDE, 7 April 2018, in Dubai, UAE.

KRACKing WPA2 by forcing Nonce Reuse, given at the OWASP Chapter Meeting Brussels, 19 March 2018, in Belgium.

KRACKing WPA2 by forcing Nonce Reuse, given at Nullcon, 2 March 2018, in Goa, India.

KRACKing WPA2 in Practice Using Key Reinstallation Attacks, given at Microsoft BlueHatIL security conference as an invited speaker, 24 January 2018, in Tel Aviv, Isreal.

KRACKing WPA2 by Forcing Nonce Reuse, given at the 34rd Chaos Communication Congress (34C3), 27 December 2017 in Leipzig, Germany.

Key Reinstallation Attacks: Breaking the WPA2 Protocol, given at Black Hat Briefings Europe, 7 December 2017, London.

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2, given at CCS 2017, October 1, 2017.

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2, keynote given at Wi-Fi Alliance meeting Bucharest, October 24, 2017.

Securely Implementing Network Protocols: Detecting and Preventing Logical Flaws, given as a Black Hat WebCast, August 24, 2017.

WiFuzz: Detecting and Exploiting Logical Flaws in the Wi-Fi Cryptographic Handshake, given at Black Hat Briefings 2017, Las Vegas, Nevada. [PDF]

Discovering Logical Vulnerabilities in the Wi-Fi Handshake Using Model-Based Testing, given at ASIA CCS 2017, 2-6 April, Abu Dhabi, United Arab Emirates. [PDF]

Predicting and Abusing WPA2/802.11 Group Keys, given at the 33rd Chaos Communication Congress (33C3), 27-30 December 2016 in Hamburg, Germany. [PDF]

Predicting, Decrypting, and Abusing WPA2/802.11 Group Keys, given at USENIX Security Symposium 2016, 11-13 August in Austin, Texas. [PDF]

HEIST: HTTP Encrypted Information can be Stolen through TCP-windows, given at Black Hat Briefings 2016, Las Vegas, Nevada. [PDF]

A Security Analysis of the WPA-TKIP and TLS Security Protocols. Public PhD defense, given on 4 July 2016 in Leuven, Belgium. [PDF]

All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS, given at USENIX ATC 2016 as an invited speaker, 22-24 June in Denver, Colorado.

All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS, given at OWASP Chapter Meeting on 23 May 2016 in Mechelen, Belgium.

All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS, given at DRADS 2016, 14-15 April in Leuven, Belgium.

Advanced WiFi Attacks Using Commodity Hardware, given at BruCON 2015, 8-9 October in Ghent, Belgium [PDF]. Extended and more practically oriented presentation of the ACSAC presentation. View on YouTube!

All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS, given at USENIX Security 2015, 12-14 August in Washington D.C. [PDF].

Advanced WiFi Attacks Using Commodity Hardware, given at ACSAC 2014, 10-12 December in New Orleans, Louisiana [PDF].

Stateful Declassification Policies for Event-Driven Programs, given at Computer Security Foundations (CSF 2014), 19-22 July in Vienna, Austria [PDF].

The Insecurity of Wi-Fi, given at DRADS 2014, 15-16 May in Leuven, Belgium.

Jammin' Like a Boss: Breaking Bad Wireless, given at HackFu 2013, 28-90 June in Norfolk, United Kingdom.

Practical Verification of TKIP Vulnerabilities, given at ASIA CCS 2013, 7-10 May 2013 in Hangzhou, China.

Stateful Declassification Policies, given at DRADS 2013, 25-26 April in Leuven, Belgium.

Informal Presentation on Vulnerabilities Found in WPA-TKIP, given at KU Leuven, 30 October 2012. This was an informal presentation, and is included here to distribute additional slides.

How you could be hacked, given at AFC café 2012, 25 October in Leuven, Belgium.

New flaws in WPA-TKIP, given at BruCON 2012, 26-27 September in Ghent, Belgium.

How you could be hacked, given at TEDxUhasselt Salon 2012, 23 Februari at UHasselt, Belgium.