Post-doctoral researcher - Automation of wireless protocol reverse engineering (M/F)

Organisation/Company CNRS Department Laboratoire d'analyse et d'architecture des systèmes Research Field Engineering Computer science Mathematics Researcher Profile Recognised Researcher (R2) Country France Application Deadline 10 Dec 2025 - 23:59 (UTC) Type of Contract Temporary Job Status Full-time Hours Per Week 35 Offer Starting Date 1 Feb 2026 Is the job funded through the EU Research Framework Programme? Not funded by a EU programme Is the Job related to staff position within a Research Infrastructure? No

The Internet of Things industry is notorious for relegating the security of these objects to the background in favor of other criteria such as reducing energy consumption, product cost, or development cycle time. For this reason, there is growing interest among vulnerability researchers in these products: Numerous weaknesses have recently been identified in wireless protocols such as Bluetooth [8, 9, 10], Bluetooth Low Energy [11, 12], and Logitech Unifying [13]. To better protect themselves, manufacturers are relying on security through obscurity by using undocumented proprietary protocols. This lack of documentation significantly slows down the work of vulnerability researchers, who must painstakingly reverse engineer protocols, from the physical radio layer (modulation used, data rate, presence of frequency hopping, etc.) to the application layer (i.e., the protocol controller).

Recently, several studies have focused on reverse engineering the lower layers of wireless protocols. Examples include the Universal Radio Hacker tool [14], which allows manual analysis of common modulations from raw signals, and the work of Galtier et al. [5], which has made it possible to partially automate the reverse engineering of the radio physical layer, paving the way for new reverse engineering tools. This post‑doc focuses on the application of artificial intelligence to the automatic reverse engineering of protocol layers, with three objectives.

• The first objective is to facilitate the identification of fields within a protocol based on examples of binary sequences. Work in this area has already been carried out [2, 3] but still requires significant manual effort on the part of the vulnerability researcher. Furthermore, this work, carried out in the context of Ethernet communication, assumes that the first physical layer has been correctly decoded. In the case of network communications, the physical layer itself requires the use of artificial intelligence, which can introduce noise into the data (for example, two disjoint frames could be considered part of the same frame). In addition, certain mechanisms related to the physical layer could be incorrectly inferred, such as “whitening” (which ensures that there are not too many consecutive bits of the same value). Finally, unlike TCP/IP‑based protocols, physical layers do not necessarily rely on byte alignment and may, for example, include 9‑bit headers (such as the header field of the proprietary Enhanced ShockBurst protocol [15]): it therefore becomes impossible to process data byte by byte, as processing can only be performed bit by bit. All these specific constraints make it necessary to design frame structure reverse engineering techniques that are robust to noise, while relying on as few assumptions as possible. Data mining approaches can serve as a basis for this work [6]. To facilitate the identification of frame structures, we will rely on a collection of documented protocol structures extracted from the Scapy software [4]: many fields (length field, checksum, etc.) are commonly used in these protocols. This will greatly speed up reverse engineering if the protocol being analyzed is a variant of a known protocol, while also providing a knowledge base representative of current technologies.

• The second objective is to infer protocol automata, which relies on the achievement of the first objective. There are methods for learning finite‑state automata, but most require active learning, i.e., they assume the presence of a “teacher” (or oracle) that can indicate whether a given sequence is protocol‑valid or not, and can provide counterexamples to a candidate learned automaton. As this assumption is not reasonable in our context, we will therefore rely on recent work [1] based on learning network protocols from communication examples. This work, adapted to TCP/IP communications, will need to be transposed to the wireless context and its specific constraints.

• The third objective, dependent on the success of the previous two, is to perform fuzzing on a protocol based on its reverse engineering. This fuzzing will be intelligent: it will take advantage of the inferred protocol automaton in order to achieve broad test coverage while limiting unnecessary trials. In particular, our goal is to reverse engineer and identify or find vulnerabilities within proprietary or partially documented protocols, such as ANT+ or ANT‑FS [16], Logitech Unifying [13, 15, 17], or various protocols used by IoT devices, such as wireless keyboards [18] or smart remote controls [19].

• [1] Cornanguer, L., & Gimenez, P. F. (2025, May). TADAM: Learning Timed Automata from Noisy Observations. In SIAM International Conference on Data Mining (SDM25).
• [2] Bossert, G., Guihéry, F., & Hiet, G. (2012, June). Netzob: un outil pour la rétro‑conception de protocoles de communication. In SSTIC 2012 (p. 43).
• [3] Duchêne, J., Le Guernic, C., Alata, E., Nicomette, V., & Kaâniche, M. (2018). State of the art of network protocol reverse engineering tools. Journal of Computer Virology and Hacking Techniques, 14, 53‑68.
• [4] Rohith, R., Moharir, M., & Shobha, G. (2018, December). SCAPY-A powerful interactive packet manipulation program. In 2018 international conference on networking, embedded and wireless systems (ICNEWS) (pp. 1‑5). IEEE.
• [5] Galtier, F., Cayre, R., Auriol, G., Kaâniche, M., & Nicomette, V. (2020, December). A PSD‑based fingerprinting approach to detect IoT device spoofing. In 2020 IEEE 25th Pacific Rim International Symposium on Dependable Computing (PRDC) (pp. 40‑49). IEEE.
• [6] Mining, W. I. D. (2006). Data mining: Concepts and techniques. Morgan Kaufinann, 10(559‑569), 4.
• [7] Cayre, R., & Cauquil, D. (2024, August). One for all and all for whad: Wireless shenanigans made easy!. In DEF CON 2024, DEF CON Security Conference.
• [8] Antonioli, D., & Tippenhauer, N.O., & Rasmussen, K. (2019). The KNOB is broken: exploiting low entropy in the encryption key negotiation of bluetooth BR/EDR. In Proceedings of the 28th USENIX Conference on Security Symposium (SEC’19). USENIX Association, USA, 1047–1061.
• [9] Antonioli, D. (2023). BLUFFS: Bluetooth Forward and Future Secrecy Attacks and Defenses. In Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security (CCS ’23). Association for Computing Machinery, New York, NY, USA, 636–650.
• [10] Seri, B. & Vishnepolsky, G. (2023). The dangers of Bluetooth implementations: Unveiling zero day vulnerabilities and security flaws in modern Bluetooth stacks.
• [11] Cayre, R. & Galtier, F. & Auriol, G., Nicomette, V. & Kaâniche, M. & Marconato, G. (2021). InjectaBLE: Injecting malicious traffic into established Bluetooth Low Energy connections. In IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2021).
• [12] Garbelini, M. E. & Wang, C., Chattopadhyay, S. & Sumei, S. & Kurniawan, E. (2020). SweynTooth: Unleashing Mayhem over Bluetooth Low Energy. In 2020 USENIX Annual Technical Conference (USENIX ATC 20).
• [13] Newlin, M. (2016). MouseJack : White Paper. In DEF CON, volume 24.
• [14] Pohl, J. & Noack, A. (2017). Universal Radio Hacker: A Suite for Analyzing and Attacking Stateful Wireless Protocols. In Proceedings of the 2017 Workshop on Internet of Things Security and Privacy (IoTS&P ’17). Association for Computing Machinery, New York, NY, USA, 59–60.
• [15] Nordic Semiconductor (2025). Documentation technique du protocole Enhanced ShockBurst. Available in: https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/protocols/esb/in… .
• [16] Szakaly, T. (2016). Help, I've got ANTs !!! In DEF CON, volume 24.
• [17] Marcus, M. (2019). LogiTacker GitHub Repository. Available at https://github.com/RoganDawes/LOGITacker .
• [18] Schroeder, T. & Moser, M. (2010). Keykeriki resources. Available at http://www.remote-exploit.org/articles/keykeriki_v2_0__8211_2_4ghz/ .
• [19] Pushstack (2014). Reversing Somfy RTS. Available at https://pushstack.wordpress.com/2014/04/14/reversing-somfy-rts/ .

This work will take place in Toulouse, at the LAAS-CNRS laboratory, and will be based on the LAAS-CNRS platform dedicated to the study of connected object security. This platform, initially developed as part of the SuperviZ project, aims to enable advanced instrumentation of commercial connected objects and IoT development kits while allowing the collection of wireless traffic at different levels of the protocol layer, from raw radio frequency signals (in the form of I/Q samples) to structured network files (PCAP type): it will thus constitute a valuable resource for evaluating the approaches proposed in this work. Supervision will be provided by Pierre-François Gimenez, AI and cybersecurity researcher at Inria, and Romain Cayre, lecturer and researcher in offensive cybersecurity at LAAS-CNRS. The implementations resulting from this work will be open‑source and will be integrated into the WHAD wireless attack framework [7] in order to transfer these contributions to other vulnerability researchers, whether they are academics, public institutions, or private companies.

• Strong skills in IT security (protocol security, embedded system security, IoT security)
• Strong skills in Artificial Intelligence (learning algorithms) and/or Automata Theory
• Good knowledge of one or more programming languages (Python, C, C++, OCAML)