Publications

Exploiting the Tesla Wall Connector from its charge port connector - Part 2: bypassing the anti-downgrade

12/05/2026 In a previous article, we presented an attack against the Tesla Wall Connector Gen 3 used during Pwn2Own Automotive 2025. The exploit chain relied on a simple fact: there was no anti-downgrade mechanism. Once we could speak UDS over the charging cable, we could just write an old, vulnerable firmware to the passive slot, reboot, and pop the debug shell. Tesla then shipped a firmware update that adds an anti-downgrade check to the update routine. Every firmware image now carries a security ratchet value, and the updater refuses any ima...

Make it Blink: Over-the-Air Exploitation of the Philips Hue Bridge

06/05/2026 The year-end edition of Pwn2Own took place in Cork, Ireland. For the first time, this event featured smart home devices, including the Amazon Smart Plug, Home Assistant Green, and the Philips Hue Bridge. The attack scenario defined by the ZDI involved an adversary with access to services listening on the local network, or launching an attack via a proximity network (Wi-Fi, Bluetooth, Zigbee). This article details the research conducted on the Philips Hue Bridge to achieve remote code execution (RCE) from the Zigbee network.

On the clock: Escaping VMware Workstation at Pwn2Own Berlin 2025

23/01/2026 At Pwn2Own Berlin 2025, we exploited VMware Workstation by abusing a Heap-Overflow in its PVSCSI controller implementation. The vulnerable allocation landed in the LFH allocator of Windows 11, whose exploit mitigations posed a major challenge. We overcame this through a complex interplay of techniques: defeating the LFH randomization using a side-channel; shaping and carefully preserving an exploitable heap layout; and abusing subtle behaviors of the vulnerable function to create powerful primitives. Ultimately, the exploit worked on ...

Exploiting Anno 1404

16/12/2025 Anno 1404 is a strategy game developed by Related Designs and published by Ubisoft. It is a real-time strategy game that focuses on city management and construction. The Anno 1404: Venice expansion, released in 2010, includes an online and local area network multiplayer mode. During our research, we discovered several vulnerabilities that, when combined, allow for arbitrary code execution from within the multiplayer mode.

Breaking the BeeStation: Inside Our Pwn2Own 2025 Exploit Journey

27/11/2025 This article documents our successful exploitation at Pwn2Own Ireland 2025 against the BeeStation Plus. We walk through the full vulnerability research process, including attack surface enumeration, code auditing, exploit development, and ultimately obtaining a root shell on the target.

Paint it blue: Attacking the bluetooth stack

27/10/2025 Bluetooth has always been an attractive target to attackers since it is present almost everywhere (TV, automotive charger, connected fridge, etc.). This is especially true on mobile devices, as it runs as a privileged process with a potential access to microphone, address book, etc.  In September and October 2023, Android published security bulletins addressing critical vulnerabilities in their Bluetooth stack (Fluoride), which could lead to remote code execution. CVE-2023-40129 is an integer underflow in the GATT protocol, which is ...

LLM Poisoning [1/3] - Reading the Transformer's Thoughts

08/10/2025 Your local LLM can hack you. This three-part series reveals how tiny weights edits can implant stealthy backdoors that stay dormant in everyday use, then fire on specific inputs, turning a "safe" offline model into an attacker. This article shows how transformers encode concepts and how to detect them in its internal activations.

Exploring GrapheneOS secure allocator: Hardened Malloc

22/09/2025 GrapheneOS is a mobile operating system based on Android and focusing on privacy and security. To enhance further the security of their product, GrapheneOS developers introduced a new libc allocator : hardened malloc. This allocator has a security-focused design in mind to protect processes against common memory corruption vulnerabilities. This article will explain in details its internal architecture and how security mitigation are implemented from a security researcher point of view.

Let Me Cook You a Vulnerability: Exploiting the Thermomix TM5

10/07/2025 This article delves into vulnerability research on the Thermomix TM5, leading to the discovery of multiple vulnerabilities, which allow firmware downgrade and arbitrary code execution on some firmware versions. We provide an in-depth analysis of the system and its attack surface, detailing the vulnerabilities found and steps for exploitation.

From cheap IoT toy to your smartphone: Getting RCE by leveraging a companion app

08/07/2025 In this article, we will go through some vulnerabilities we found in an Android application, allowing us to take control of a recent smartphone by faking the drone itself.