[Meet our Faculty] Romain Cayre, assistant professor in digital security department at EURECOM

Q. What is your academic trajectory?
RC. I’m a former student of the engineering school Institut National des Sciences Appliquées (INSA) Toulouse, where I obtained an Engineering Degree in Computer Science and Networks, with a Major in Security from TLS-SEC training, and a Master Degree in Networks and Telecommunications. After that, I choose to do a research internship at LAAS-CNRS laboratory in the Tolérance aux fautes et Sûreté de Fonctionnement (TSF) team, where I worked on the design and implementation of a tool allowing to perform wireless attacks to evaluate a protocol-agnostic intrusion detection approach relying on a wide band physical layer analysis. I enjoyed this first experience and it motivated me to do a CIFRE PhD in the same team at LAAS-CNRS, co-directed by Apsys.Lab, an Airbus company specialized in security. My PhD thesis is named “Offensive and defensive approaches for wireless communication protocols security in IoT”, and explore the thematics of the security analysis of IoT wireless communication protocols both from an offensive and a defensive perspective, demonstrating some emerging threats related to the rapid and chaotic deployment of wireless protocols in the IoT context and proposing a set of defensive approaches to mitigate them. After my PhD, I joined EURECOM as post-doc in the Software and System Security (S3) Group, under the supervision of Aurélien Francillon, where I worked on the evaluation of a lightweight Intrusion Detection System embedded in Bluetooth Low Energy controllers and on the analysis of low level attacks at the interface between software and hardware.

Q. What is the expertise you bring to the Security department?

RC. My research thematics are focused on Wireless Security and Embedded Systems Security, and I’m particularly interested in the analysis of protocol stacks, cross-layer interactions and lower layers (medium access and physical layers). I’m very familiar with the operation of the Bluetooth Low Energy and ZigBee protocols, as well as several proprietary protocols (ANT, Enhanced ShockBurst / ShockBurst, etc.). As part of my previous research works, I developed both scientific and technical skills at the interface between Networks, Telecommunications, Embedded Electronics and Computer Science, from protocol reverse engineering based on signals analysis to the instrumentation of embedded firmwares (applied to proprietary protocol stacks embedded in various SoCs, such as ESP32, nRF52 or Broadcom / Cypress).

Q. What made you choose to come to EURECOM?

RC. I was very impressed by the impact and the quality of some of the research works realized at EURECOM. Over the years, some of the professors, PhD students and postdocs from EURECOM have proposed some major contributions in my field, and I was enthusiastic about some of these works. I was particularly interested by some of the research thematics developed at EURECOM, especially low level wireless attacks such as Screaming Channels or the contributions to Bluetooth Security (especially KNOB & BIAS attacks). When Aurelien Francillon, professor in S3 team, proposed me to work as post-doc under his supervision, I was very happy of the opportunity to work with such a great team and gladly accepted his offer! I learned a lot during this post-doc, and the team has always encouraged me to work on the themes I’m passionate about and has given me a lot of freedom, while opening up many new perspectives and opportunities for collaboration. When a position of assistant professor was opened, it was a no-brainer to apply for it, and I’m glad to have been recruited in the team.

Q. What are your future goals and if you had to sketch a five-year plan for your research goals, what would that be?

RC. I would like to explore several research thematics related to Internet of Things and Wireless security. I plan to focus my work on vulnerability analysis, exploitation and mitigation in the IoT ecosystem. The first research thematic I would like to work on is the identification and analysis of novel context-dependent vulnerabilities in IoT devices, that are currently challenging to identify with state-of-the-art testing approaches. For example, automated detection of attack vectors chaining multiple vulnerabilities remains difficult today. It involves to identify and analyze potential attack vectors impacting the execution flow of the devices, and evaluating the feasibility of instrumenting or simulating the identified attack vectors to integrate them into testing approaches, for example based on rehosting.

The second research thematic I plan to explore is focused on the identification and analysis of cross protocol interactions between IoT wireless communications protocols. Internet of Things has led to the chaotic deployment of several concurrent wireless communications protocols, such as Wi-Fi, Thread, ZigBee, Bluetooth Classic and Low Energy, and Ultrawide-band. These protocols often coexist in the same environment and share resources, such as the 2.4 GHz ISM band. This situation opens up the possibility for attackers to target one protocol by exploiting another protocol, taking advantage of similarities in the lower layers of wireless stacks. There is currently no established and reliable methodology for studying cross-protocol interactions, vulnerabilities, attacks, and mitigations in the IoT domain. One of my goal is to fill this gap by providing a comprehensive analysis of cross protocol interactions, and designing a framework to reliably identify and analyze these new attack vectors.

The third research thematic I want to conduct focuses on the design and the implementation of innovative defensive mechanisms, aiming at protecting smart devices while fitting the specific constraints of the IoT ecosystem. Indeed, securing IoT devices requires to take into account multiple constraints and specificities of the IoT ecosystem, complicating the use of existing solutions. In particular, I plan to work on the development of Intrusion Detection and Prevention Systems allowing to detect and react to wireless threats targeting IoT devices, by leveraging techniques that are generally used in an offensive context, such as reactive jamming or firmware patching.