Mathy Vanhoef

I found some design and implementation flaws in Wi-Fi again. All Wi-Fi devices are affected. It was a long ~9 months embargo, over this time a lot of info has been collected and that info now available at fragattacks.com

Als een significant gedeelte van de bevolking géén kinderen heeft zullen zij die nog wel kinderen hebben (en investeren om die op te voeden) het niet OK blijven vinden dat de pensioenen van mensen mét en zonder kinderen gelijk blijven.

Nominate yourself to help review papers for USENIX Security 2027! sec-rms.com/submit-applica… (or rms.swag.cispa.de/submit-applica… ). Deadline: May 28, 2026. We're looking for both senior and junior people. See Andrei Sabelfeld's LinkedIn post for more info: linkedin.com/feed/update/ur…

There’s been some reporting that Meta contributed an unfathomable sum to promote age verification laws globally. This is broadly true, but actual situation is a bit more complex. Figured it was worth an update.

Pre-announcement of BIND 9 security issues scheduled for disclosure 20 May 2026 lists.isc.org/pipermail/bind…

[2]After our failed competition, we headed to Apple Store and bought the mbp m5 and spent less than half an hour to set it up and found a fixed offset is changed 1 bit on it, so we just change 1 bit on our exp and it worked with a 100% success rate. Yes just 1 bit change, 1 to 2.

NDSS 2027 is looking for volunteers to join the Artifact Evaluation Committee. If you care about reproducibility & open science, we would be glad to have you on board. All sorts of backgrounds welcome & no prior experience required. Self-nominate here: forms.gle/3UydnaYP6vUChF…

I was hoping to compete in Pwn2Own with a Firefox full-chain entry, but unfortunately it was rejected. I’ve reported the vulnerability to the Mozilla team.

Pwn2Own hit max capacity for the first time in history. We unfortunately couldn’t get in. We submit our research to vendors. Look to our blog for technical breakdowns coming soon! #cybersecurity #0day #reverseengineering #exploitdev #infosec #xchglabs #pwn2own

@SwiftOnSecurity This platform has kept going downhill. The "For You" page is mainly interaction slop where tweets stop in the middle of the sentence, right before the "juicy info", to get you to click on it. The "Following" page is less interesting because many people left or are less active

Been doing this account for 12 years with 100% original stuff, huge debuff of my posts the last 2 months or so. I'm not gonna really pursue it rn, but yeah something weird is going on and kinda nerfed my drive so you're not seeing a lot I normally would. ☹️🤷‍♀️

🚨Nominations for the 2026 Pwnie Awards are now open! Best bug? Worst Bug? Incredible research? Cataclysmic fuckups that knocked over half the internet? You know who deserves a Pwnie this year! Let us know! 🏇🏇🏇🏇🏇 tally.so/r/441Aro

Hey everyone. We’ve seen the discussions around Copy Fail (CVE-2026-31431) and the disclosure process. We appreciate the passion from distro maintainers, defenders, and the broader Linux community. This is a serious issue, and we want to share some context on our side in good faith. 🧵

GitHub with our AirSnitch tool and a high-level explanation: github.com/vanhoefm/airsn… Black Hat Asia slides: papers.mathyvanhoef.com/blackhat-asia2… Corresponding NDSS'26 paper: papers.mathyvanhoef.com/ndss2026-airsn…

Just presented AirSnitch at Black Hat Asia 2026! The presentation covered how we could often bypass Wi-Fi client isolation in home and professional access points. This was an awesome collaboration with UC Riverside! The slides and our NDSS'26 paper are linked below ⬇️

Google used a ZK proof to disclose a quantum breakthrough that cuts the cost of breaking cryptocurrency by 20x without handing attackers the circuit. We found anyone could forge a “proof” of an even stronger attack. 🧵

hackers as the first group to embrace KYC for access to new models is cutting me deep. we used to be rebels

Alors là 😭 sélection naturelle à ce stade

In collaboration with a couple of other leaders in the industry we are releasing SecurityTitles.com - It's an attempt to provide transparency about role levels, expectations and (just for the US market currently, salary ranges). For leaders writing JDs and candidates alike.

@HaifeiLi @udunadan Or combine with manual code exploration, where AI greatly speeds up understanding of the code and verifying hypothesis. At least I think this can speed up the type of vuln research where you're trying new style of attacks (I still need to experiment more with AI though..)

@HaifeiLi @udunadan Might become the same as fuzzers: if you use an out-of-the-box config, i.e., common prompts, you won't find new things (once the new low-hanging fruit is found). To find new stuff, you'll need new strategies like combining with other tools (fuzzers, DAST) in a new way.

Well, I recommend that folks who claim they used AI to find bugs describe their steps in detail - such as which AI models they used, what prompts they employed, which source files they asked the AI to analyze and how, etc. This is like the vulnerability PoC in the AI era. Only with sufficient details can others independently reproduce the findings and properly assess whether it’s real innovation, hype, or somewhere in between.