Romain Cayre

BIO

I’m assistant professor in Software and System Security (S3) group at EURECOM, previously post-doctoral researcher in the same group since July 2022. Before joining EURECOM, I obtained a PhD in Computer Science from Institut National des Sciences Appliquées (INSA) Toulouse. My PhD thesis is titled “Offensive and defensive approaches for wireless communication protocols in IoT”. I’m a former student of INSA Toulouse and TLS-SEC, where I studied Computer Science, Networks and Security.

My research interests are related to wireless security, IoT security and embedded systems security. My main contributions are:

WazaBee, a cross-protocol pivoting attack allowing to receive and transmit arbitrary 802.15.4 packets from a diverted BLE transceiver,
InjectaBLE, an attack allowing to inject arbitrary packets into an ongoing Bluetooth Low Energy connection by leveraging a race condition in the Link Layer clock drift compensation mechanism,
Mirage, an offensive framework allowing to facilitate the development and automation of offensive scenarios targeting various wireless protocols (Bluetooth Low Energy, ZigBee, Enhanced ShockBurst...),
OASIS, a defensive framework allowing to generate an embedded detection software and inject it into Bluetooth Low Energy controllers.

I am the main maintainer of Mirage, an offensive framework for wireless communication protocols.

PUBLICATIONS

OASIS: An Intrusion Detection System Embedded in Bluetooth Low Energy Controllers

Romain Cayre, Vincent Nicomette, Guillaume Auriol, Mohamed Kaâniche and Aurélien Francillon
Proceedings of the 2024 ACM Asia conference on Computer and Communications Security (ASIACCS).
PDF BibTex

ESPwn32: hacking with ESP32 system-on-chips

Romain Cayre, Damien Cauquil and Aurélien Francillon
WOOT 2023, 17th IEEE Workshop on Offensive Technologies, co-located with IEEE S&P 2023, 25 May 2023, San Francisco, United States.
PDF BibTex

Rétro-ingénierie et détournement de piles protocolaires embarquées, un cas d'étude sur le système ESP32

Romain Cayre and Damien Cauquil
SSTIC 2023, Symposium sur la sécurité des technologies de l'information et des communications, 7-9 June 2023, Rennes, France.
PDF BibTex

OASIS: un framework pour la détection d'intrusion embarquée dans les contrôleurs Bluetooth Low Energy

Romain Cayre, Clément Chaine, Guillaume Auriol, Vincent Nicomette, and Géraldine Marconato
Symposium sur la sécurité des technologies de l'information et des communications (SSTIC 2022), Jun 2022, Rennes, France.
PDF BibTex

WazaBee: attacking Zigbee networks by diverting Bluetooth Low Energy chips

Romain Cayre, Florent Galtier, Guillaume Auriol, Vincent Nicomette, Mohamed Kaâniche and Géraldine Marconato
IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2021), Jun 2021, Taipei (virtual), Taiwan.
PDF BibTex

InjectaBLE: Injecting malicious traffic into established Bluetooth Low Energy connections

Romain Cayre, Florent Galtier, Guillaume Auriol, Vincent Nicomette, Mohamed Kaâniche and Géraldine Marconato
IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2021), Jun 2021, Taipei (virtual), Taiwan.
PDF BibTex

[DEMO] A defensive man-in-middle approach to filter BLE packets

Romain Cayre, Géraldine Marconato, Florent Galtier, Mohamed Kaâniche, Vincent Nicomette and Guillaume Auriol
14th ACM Conference on Security and Privacy in Wireless and Mobile Networks, Jun 2021, Abu Dhabi, United Arab Emirates.
PDF BibTex

[POSTER] Cross-protocol attacks: weaponizing a smartphone by diverting its Bluetooth controller

Romain Cayre, Géraldine Marconato, Florent Galtier, Mohamed Kaâniche, Vincent Nicomette and Guillaume Auriol
14th ACM Conference on Security and Privacy in Wireless and Mobile Networks, Jun 2021, Abu Dhabi, United Arab Emirates.
PDF BibTex

Attaques inter-protocolaires par détournement du contrôleur Bluetooth d'un téléphone mobile

Romain Cayre and Florent Galtier
GT Sécurité des Systèmes, Logiciels et Réseaux, May 2021, Online, France.
PDF BibTex

InjectaBLE : injection de trafic malveillant dans une connexion Bluetooth Low Energy

Romain Cayre, Florent Galtier, Vincent Nicomette, Guillaume Auriol, Mohamed Kaâniche and Géraldine Marconato
Symposium sur la sécurité des technologies de l'information et des communications (SSTIC 2021), Jun 2021, Rennes, France.
PDF BibTex

A PSD-based fingerprinting approach to detect IoT device spoofing

Florent Galtier, Romain Cayre, Guillaume Auriol, Mohamed Kaâniche and Vincent Nicomette
25th IEEE Pacific Rim International Symposium on Dependable Computing (PRDC 2020), Dec 2020, Perth, Australia.
PDF BibTex

WazaBee : attaque de réseaux Zigbee par détournement de puces Bluetooth Low Energy

Romain Cayre, Florent Galtier, Guillaume Auriol, Vincent Nicomette and Géraldine Marconato
Symposium sur la Sécurité des Technologies de l'Information et des Communications (SSTIC 2020), Jun 2020, Rennes, France.
PDF BibTex

Mirage: towards a Metasploit-like framework for IoT

Romain Cayre, Vincent Nicomette, Guillaume Auriol, Eric Alata and Géraldine Marconato
2019 IEEE 30th International Symposium on Software Reliability Engineering (ISSRE), Oct 2019, Berlin, Germany.
PDF BibTex

Mirage : un framework offensif pour l'audit du Bluetooth Low Energy

Romain Cayre, Jonathan Roux, Eric Alata, Vincent Nicomette and Guillaume Auriol
Symposium sur la Sécurité des Technologies de l'Information et des Communications (SSTIC 2019), Jun 2019, Rennes, France.
PDF BibTex

TALKS

Analyse et instrumentation de piles protocolaires embarquées: retour d’expérience et perspectives

Romain Cayre
Séminaire sur la Sécurité des systèmes électroniques embarqués (SemSecuElec), January 2024
Website

Weaponizing ESP32 RF Stacks

Romain Cayre and Damien Cauquil
Toulouse Hacking Convention (THCon), April 2023
Slides Video

Cross-protocol attacks, weaponizing a smartphone by diverting its Bluetooth controller

Romain Cayre
Toulouse Hacking Convention (THCon), April 2022
Slides Video

Exploiting wireless keyboards for fun and profit

Romain Cayre
Toulouse Hacking Convention (THCon), June 2021
Slides Video

TOOLS

OASIS

Romain Cayre
Oasis is a lightweight modular framework allowing to easily write, build and patch instrumentation modules for Bluetooth Low Energy (BLE) controllers using standard C language.
GitHub

Mirage

Romain Cayre
Mirage is a powerful and modular framework dedicated to the security analysis of wireless communications.
GitHub

Radiosploit

Romain Cayre
Android application allowing to sniff and inject Zigbee, Mosart and Enhanced ShockBurst packets on a Samsung Galaxy S20.
GitHub (app) GitHub (patches)

InjectaBLE

Romain Cayre
Custom firmware for nrf52840-dongle, allowing to easily eavesdrop Bluetooth Low Energy communications and perform multiple active attacks based on InjectaBLE strategy.
GitHub

WazaBee

Romain Cayre
WazaBee is an attack allowing to transmit and receive 802.15.4 packets by diverting Bluetooth Low Energy chips.
GitHub (CLI) GitHub (nRF52) GitHub (TI-CC1352-R1)

CONTACT

Mail: romain.cayre@eurecom.fr
Twitter: @CayreRomain
GitHub: @RCayre
Google Scholar: profile
ORCID: 0009-0009-6217-5862

EURECOM
Campus SophiaTech,
450 Route des Chappes, 06410 Biot FRANCE
Office: 377