Romain Cayre

BIO

I’m assistant professor in Software and System Security (S3) group at EURECOM, previously post-doctoral researcher in the same group since July 2022. Before joining EURECOM, I obtained a PhD in Computer Science from Institut National des Sciences Appliquées (INSA) Toulouse. My PhD thesis is titled “Offensive and defensive approaches for wireless communication protocols in IoT”. I’m a former student of INSA Toulouse and TLS-SEC, where I studied Computer Science, Networks and Security.

My research interests are related to wireless security, IoT security and embedded systems security. My main contributions are:

  • WazaBee, a cross-protocol pivoting attack allowing to receive and transmit arbitrary 802.15.4 packets from a diverted BLE transceiver,
  • InjectaBLE, an attack allowing to inject arbitrary packets into an ongoing Bluetooth Low Energy connection by leveraging a race condition in the Link Layer clock drift compensation mechanism,
  • Mirage, an offensive framework allowing to facilitate the development and automation of offensive scenarios targeting various wireless protocols (Bluetooth Low Energy, ZigBee, Enhanced ShockBurst...),
  • OASIS, a defensive framework allowing to generate an embedded detection software and inject it into Bluetooth Low Energy controllers.

I am the main maintainer of Mirage, an offensive framework for wireless communication protocols.


PUBLICATIONS

OASIS: An Intrusion Detection System Embedded in Bluetooth Low Energy Controllers
Romain Cayre, Vincent Nicomette, Guillaume Auriol, Mohamed Kaâniche and Aurélien Francillon
Proceedings of the 2024 ACM Asia conference on Computer and Communications Security (ASIACCS).
PDF BibTex
ESPwn32: hacking with ESP32 system-on-chips
Romain Cayre, Damien Cauquil and Aurélien Francillon
WOOT 2023, 17th IEEE Workshop on Offensive Technologies, co-located with IEEE S&P 2023, 25 May 2023, San Francisco, United States.
PDF BibTex
Rétro-ingénierie et détournement de piles protocolaires embarquées, un cas d'étude sur le système ESP32
Romain Cayre and Damien Cauquil
SSTIC 2023, Symposium sur la sécurité des technologies de l'information et des communications, 7-9 June 2023, Rennes, France.
PDF BibTex
OASIS: un framework pour la détection d'intrusion embarquée dans les contrôleurs Bluetooth Low Energy
Romain Cayre, Clément Chaine, Guillaume Auriol, Vincent Nicomette, and Géraldine Marconato
Symposium sur la sécurité des technologies de l'information et des communications (SSTIC 2022), Jun 2022, Rennes, France.
PDF BibTex
WazaBee: attacking Zigbee networks by diverting Bluetooth Low Energy chips
Romain Cayre, Florent Galtier, Guillaume Auriol, Vincent Nicomette, Mohamed Kaâniche and Géraldine Marconato
IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2021), Jun 2021, Taipei (virtual), Taiwan.
PDF BibTex
InjectaBLE: Injecting malicious traffic into established Bluetooth Low Energy connections
Romain Cayre, Florent Galtier, Guillaume Auriol, Vincent Nicomette, Mohamed Kaâniche and Géraldine Marconato
IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2021), Jun 2021, Taipei (virtual), Taiwan.
PDF BibTex
[DEMO] A defensive man-in-middle approach to filter BLE packets
Romain Cayre, Géraldine Marconato, Florent Galtier, Mohamed Kaâniche, Vincent Nicomette and Guillaume Auriol
14th ACM Conference on Security and Privacy in Wireless and Mobile Networks, Jun 2021, Abu Dhabi, United Arab Emirates.
PDF BibTex
[POSTER] Cross-protocol attacks: weaponizing a smartphone by diverting its Bluetooth controller
Romain Cayre, Géraldine Marconato, Florent Galtier, Mohamed Kaâniche, Vincent Nicomette and Guillaume Auriol
14th ACM Conference on Security and Privacy in Wireless and Mobile Networks, Jun 2021, Abu Dhabi, United Arab Emirates.
PDF BibTex
Attaques inter-protocolaires par détournement du contrôleur Bluetooth d'un téléphone mobile
Romain Cayre and Florent Galtier
GT Sécurité des Systèmes, Logiciels et Réseaux, May 2021, Online, France.
PDF BibTex
InjectaBLE : injection de trafic malveillant dans une connexion Bluetooth Low Energy
Romain Cayre, Florent Galtier, Vincent Nicomette, Guillaume Auriol, Mohamed Kaâniche and Géraldine Marconato
Symposium sur la sécurité des technologies de l'information et des communications (SSTIC 2021), Jun 2021, Rennes, France.
PDF BibTex
A PSD-based fingerprinting approach to detect IoT device spoofing
Florent Galtier, Romain Cayre, Guillaume Auriol, Mohamed Kaâniche and Vincent Nicomette
25th IEEE Pacific Rim International Symposium on Dependable Computing (PRDC 2020), Dec 2020, Perth, Australia.
PDF BibTex
WazaBee : attaque de réseaux Zigbee par détournement de puces Bluetooth Low Energy
Romain Cayre, Florent Galtier, Guillaume Auriol, Vincent Nicomette and Géraldine Marconato
Symposium sur la Sécurité des Technologies de l'Information et des Communications (SSTIC 2020), Jun 2020, Rennes, France.
PDF BibTex
Mirage: towards a Metasploit-like framework for IoT
Romain Cayre, Vincent Nicomette, Guillaume Auriol, Eric Alata and Géraldine Marconato
2019 IEEE 30th International Symposium on Software Reliability Engineering (ISSRE), Oct 2019, Berlin, Germany.
PDF BibTex
Mirage : un framework offensif pour l'audit du Bluetooth Low Energy
Romain Cayre, Jonathan Roux, Eric Alata, Vincent Nicomette and Guillaume Auriol
Symposium sur la Sécurité des Technologies de l'Information et des Communications (SSTIC 2019), Jun 2019, Rennes, France.
PDF BibTex

TALKS

Analyse et instrumentation de piles protocolaires embarquées: retour d’expérience et perspectives
Romain Cayre
Séminaire sur la Sécurité des systèmes électroniques embarqués (SemSecuElec), January 2024
Website
Weaponizing ESP32 RF Stacks
Romain Cayre and Damien Cauquil
Toulouse Hacking Convention (THCon), April 2023
Slides Video
Cross-protocol attacks, weaponizing a smartphone by diverting its Bluetooth controller
Romain Cayre
Toulouse Hacking Convention (THCon), April 2022
Slides Video
Exploiting wireless keyboards for fun and profit
Romain Cayre
Toulouse Hacking Convention (THCon), June 2021
Slides Video

TOOLS

OASIS
Romain Cayre
Oasis is a lightweight modular framework allowing to easily write, build and patch instrumentation modules for Bluetooth Low Energy (BLE) controllers using standard C language.
GitHub
Mirage
Romain Cayre
Mirage is a powerful and modular framework dedicated to the security analysis of wireless communications.
GitHub
Radiosploit
Romain Cayre
Android application allowing to sniff and inject Zigbee, Mosart and Enhanced ShockBurst packets on a Samsung Galaxy S20.
GitHub (app) GitHub (patches)
InjectaBLE
Romain Cayre
Custom firmware for nrf52840-dongle, allowing to easily eavesdrop Bluetooth Low Energy communications and perform multiple active attacks based on InjectaBLE strategy.
GitHub
WazaBee
Romain Cayre
WazaBee is an attack allowing to transmit and receive 802.15.4 packets by diverting Bluetooth Low Energy chips.
GitHub (CLI) GitHub (nRF52) GitHub (TI-CC1352-R1)

CONTACT


EURECOM
Campus SophiaTech,
450 Route des Chappes, 06410 Biot FRANCE
Office: 377