I hold a PhD in Information Security from Royal Holloway, University of London. My research focused on IoT Security, and the title of my thesis was "Analysing and Preventing Self-Issued Voice Commands", in which I investigated to what extent commands played and captured by the same device can be a threat to the device users' security, safety and privacy. An example is CVE-2022-25809, known as the AvA Attack, which my team reported to Amazon in 2021 and was the core of my thesis.
I have been active for a few years in the consultancy field. Between 2017 and 2019, I worked for ICT Cyber Consulting, a consultancy firm in Italy. As part of my responsibilities, I used to lead the internal cybersecurity team and I supported the evaluation and the implementation of security measures for more than 60 client firms, including SMB, SME and large enterprises. Between 2023 and 2024, I worked as a freelance consultant for half-dozen client firms, mostly doing vulnerability assessments, penetration tests and training sessions on security topics.
I am now a Fixed-term Assistant Professor (RTD-A) at University of Catania. As part of my responsibilities, I teach the "Vulnerability Assessment and Penetration Testing" course, aimed at both BSc and MSc students, and I co-teach the "Internet Security" and the "Computer Security" courses, aimed at BSc and MSc students, respectively. My research activities still include IoT Security, but now also involve security of multimodal networks, as part of the PNRR FAIR project, and privacy in the automotive environment, as part of the PECS project (NGI TRUSTCHAIN).
Journal Paper
A Case of Smart Devices that Compromise Home Cybersecurity
2025Davide Bonaventura, Sergio Esposito, Giampaolo Bella
We extensively analyse vulnerabilities presented in our previous work and exploited against multiple devices of the Tapo Tp-Link ecosystem. We thoroughly discuss involved Tapo protocols and related exploits used to compromise the devices, using multiple modeling techniques such as flowcharts and pseudocode algorithms; we additionally provide the exploits' source code.
To appear in Elsevier Computers & Security JournalConference Paper
Privacy-Enrooted Car Systems (PECS): Preliminary Design
2024Giampaolo Bella, Gianpietro Castiglione, Sergio Esposito, Mirko Giuseppe Mangano, Mirco Marchetti, Marcello Maugeri, Mario Raciti, Salvatore Riccobene, Daniele Francesco Santamaria
The PECS project aims at revolutionising privacy management within the automotive domain, empowering users to customise privacy settings for their applications, and proposing data obfuscation solutions. We introduce the preliminary software design of PECS and five user stories to conceptualise the user interaction.
To appear in the Proceedings of the 2nd EAI International Conference on Security and Privacy in Cyber-Physical Systems and Smart Vehicles (EAI SmartSP 2024)Workshop Paper
Not Sure Your Car Withstands Cyberwarfare
2024Giampaolo Bella, Gianpietro Castiglione, Sergio Esposito, Mario Raciti, Salvatore Riccobene
We assess how well modern cars protect their drivers' data by analysing privacy policies of known car brands, finding that they are still imprecise about how brands comply with a number of GDPR articles. Hence, compliance results non-verifiable from the outside. This leads to potentially concerning scenarios in case of cyberwarfare.
To appear in Proceedings of the 2024 IEEE International Workshop on Technologies for Defense and Security (TechDefense 2024)Workshop Paper
User-Empowered Federated Learning in the Automotive Domain
2024Marcello Maugeri, Mirko Ignazio Paolo Morana, Sergio Esposito, Giampaolo Bella
We propose a Federated Learning approach, built upon the Flower Framework, that empowers users to decide if they want to participate in model training, or if they just want to make inferences without contributing to the training. We demonstrate this approach through an automotive case study that employs the EngineFaultDB dataset.
In Proceedings of the 2024 IEEE International Conference on Blockchain (Blockchain)Conference Paper
The IoT Breaches your Household Again
2024Davide Bonaventura, Sergio Esposito, Giampaolo Bella
We show how vulnerabilities previously exploited against the Tapo L530E smart bulb can be exploited against other devices of the Tapo family, with similar impact. Additionally, we present a new attack scenario that combines the already known vulnerabilities and another network configuration in which the vulnerabilities can be exploited.
In Proceedings of the 21st International Conference on Security and Cryptography (SECRYPT 2024)Workshop Paper
Modelling the privacy landscape of the Internet of Vehicles
2024Ruben Cacciato, Mario Raciti, Sergio Esposito, Giampaolo Bella
We build two relational models to describe the current privacy landscapes for Intelligent Transportation Systems (ITS) and the Internet of Vehicles (IoV), analysing differences between the two domains and highlighting key challenges for their development in the near future.
In Proceedings of the 18th International Conference on Availability, Reliability and Security (ARES '24)Workshop Paper
The VOCODES Kill Chain for Voice Controllable Devices
2023Sergio Esposito, Daniele Sgandurra, Giampaolo Bella
We describe VOCODES, a tailored kill chain for self-activation attacks. We show that some peculiar steps are needed to perform these attacks, compared to more classical ones. To demonstrate VOCODES' potential, we apply it to analyse the AvA attack in detail.
In Proceedings of The 6th International Workshop on Attacks and Defenses for Internet-of-Things (ADIoT 2023)Conference Paper
Smart Bulbs can be Hacked to Hack into your Household
2023Davide Bonaventura, Sergio Esposito, Giampaolo Bella
We describe four vulnerabilities found on the smart light bulb Tapo L530E by Tp-Link, by applying the PETIoT kill chain. We illustrate the impact and the execution of several attack scenarios that can be achieved by chaining said vulnerabilities, and finally we design some fixes.
In Proceedings of the 20th International Conference on Security and Cryptography (SECRYPT 2023)Journal Paper
PETIoT: PEnetration Testing the Internet of Things
2023Giampaolo Bella, Pietro Biondi, Stefano Bognanni, Sergio Esposito
PETIoT is a tailored kill chain for penetration testing in IoT environments, with particular emphasis on traffic analysis. We illustrate all PETIoT steps and then we analyse an attack that is already known in the literature as an example, to show PETIoT's potential.
In Elsevier Internet of Things Journal, Volume 22Conference Paper
Protecting Voice-Controllable Devices Against Self-Issued Voice Commands
2023Sergio Esposito, Daniele Sgandurra, Giampaolo Bella
We propose a taxonomy of security levels to apply to voice-controllable devices, and a countermeasure based on Twin Neural Networks to protect such devices from self-activation attacks such as AvA.
In Proceedings of the IEEE 8th European Symposium on Security and Privacy (EuroS&P 2023)Conference Paper
Alexa versus Alexa: Controlling Smart Speakers by Self-Issuing Voice Commands
2022Sergio Esposito, Daniele Sgandurra, Giampaolo Bella
Alexa versus Alexa (AvA) is an attack that leverages audio files containing voice commands to gain remote control of Amazon Echo devices that play them. The attack was rated as Critical by the NIST, with a CVSS severity score of 9.8 out of 10.
In Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security (ASIA CCS '22)Lecturer for the Vulnerability Assessment and Penetration Testing Course (6 CFU, 48 hours)
Università degli Studi di Catania
October 2024 – Current
This course is part of both the L-31 Bachelor's Degree Course and the LM-18 Master's Degree Course in Computer Science. I taught the following course topics and designed practical lab activities for some of them:- Offensive Security Activities and Ethical Hacking
- VAPT Methodologies
- Information Gathering
- Threat Modelling
- Vulnerability Assessment
- Common Vulnerabilities
- Exploit Tailoring
- Social Engineering
- Post-Exploitation
- Reporting
Lecturer for the Laboratory Module of the Internet Security Course (3 CFU, 24 hours)
Università degli Studi di Catania
April 2024 – Current
This course is part of the L-31 Bachelor's Degree Course in Computer Science. I taught the following course topics and designed practical lab activities for some of them:- Intrusions
- Firewalls
- Intrusion Prevention Systems
- Endpoint Detection and Response
- Incident Response
- System Logs
- Security Information and Event Management
- Security Orchestration, Automation and Response
- Security Operation Center
- Recent Threats
Tutor and Manager for the Cyberchallenge.IT project
Università degli Studi di Catania
February 2020 – Current
I am a tutor for the Cyberchallenge.IT (CCIT) project, preparing university and high-school students for a national hacking competition. Since the 2024 edition, I am also managing the UniCT team activities within the CCIT project.- Software Security 1: Mainly reverse engineering on PE and ELF binaries. I taught topics in this module in the 2020 edition.
- Web Security 1, 2 and 3: Client-side and server-side web vulnerabilities, database vulnerabilities. I taught topics in this module in the 2020 and 2021 editions.
- Hardware Security 0, 1, 2 and 3: VHDL, hardware vulnerabilities and trojans, side-channel attacks. I taught topics within this module in the 2021, 2022, 2023 and 2024 editions.
Teaching Assistant for the Vulnerability Assessment and Penetration Testing Course
Università degli Studi di Catania
October 2021 – January 2024
I designed practical lab activities on course topics:- Techniques and tools for all penetration testing steps: Information Gathering, Vulnerability Assessment, Exploitation, Post-Exploitation, Reporting
- Exploit and mitigation of the most important vulnerabilities on web applications, and PE/ELF executables
- Techniques for privilege escalation and lateral movement
Teaching Assistant for the IY3840 course: Malicious Software
Royal Holloway, University of London
February 2020 – July 2021
I marked coursework and I designed lab sheets on course topics:- Static and dynamic analysis of executables
- Understanding malware networks and shared code analysis
- Development of tools to identify malware and for malware attribution
Tutor for the Internet Security course
Università degli Studi di Catania
April 2019 – June 2020
I explained in detail some topics that were requested by students, during lessons and practical labs. Some relevant topics:- Reverse engineering
- Web vulnerabilities
- Cloud security
- Asymmetric Encryption
Invited Lecture on "Cross Site Scripting (XSS)"
Università degli Studi di Catania
May 2017
I was asked to give a lecture during the Internet Security course, which is part of the L-31 Bachelor's Degree Course in Computer Science. Topics covered, along with related lab activities:- HTTP Requests
- Document Object Model (DOM)
- Reflected XSS
- DOM-Based XSS
- Stored XSS
Track Chair
- SEC at ACM SAC (2025)
Program Committee
- EICC (2025)
Review Service
- IEEE Internet of Things Journal (2024)
- The Computer Journal (2021)
Sub-Review Service
- ESORICS (2024, 2023)
- SEC at ACM SAC (2024, 2020)
- ACM AsiaCCS (2023)
- ITASEC (2022, 2021, 2020)
External Review Service
- Mario Raciti (2024, 2023), Annual Review Panel for the National PhD Program in Cybersecurity @ IMT Lucca
Co-Supervised Student Theses
- Davide Bonaventura (2023), MSc in Computer Science @ Università degli Studi di Catania
- Andrea Maugeri (2022), BSc in Computer Science @ Università degli Studi di Catania
- Salvatore Graci (2022), MSc in Computer Science @ Università degli Studi di Catania
Freelancer
May 2023 - March 2024
Although in the past I used to lead GDPR compliance activities for my clients, offensive security and teaching is where I thrive.- Penetration Testing
- Red-Teaming
- Support in the evaluation and implementation of technical security measures
- Support in case of security incidents
- Cyber Exercises
- Training
Cybersecurity Specialist
ICT Cyber Consulting
December 2018 – October 2019
- Management of the firm's cybersecurity team
- Cybersecurity hotline, e.g., in case of security incidents and/or data breaches
- Data Protection Impact Assessments (DPIAs)
- Support in the evaluation and implementation of technical security measures
- Cybersecurity Gap Analysis
- Security Risk Assessment
- GDPR compliance activities
- Training
- Worked with more than 60 client organisations
Chief Cyber Security Advisor
ICT Legal Consulting
June 2018 – December 2018
- Same responsibilities mentioned in the role above.
Cyber Security Advisor
ICT Legal Consulting
August 2017 – June 2018
- Same responsibilities mentioned in the role above (except for "Management of the firm's cybersecurity team")
- Penetration testing