9:00 am–9:15 am
Opening Remarks and Awards
Program Co-Chairs: Antonio Bianchi, Purdue University, and Jiska Classen, Hasso Plattner Institute
9:15 am–10:00 am
Keynote Address
Click Here to Hack Your Target: A Perspective on the Past, Present, and Future of Mercenary Spyware
Bill Marczak, Senior Researcher at The Citizen Lab
The mercenary spyware industry sells hacking tools and services to governments, purportedly to fight crime and terrorism. In some cases, the products are used this way. However, all too often, this powerful technology is abused to spy on dissidents, journalists, and political opposition. Despite bug-fixes, security mitigations, threat intelligence work, government regulations, and even sanctions, the industry's efforts continue apace, to the detriment of civil society. My talk will highlight the cat-and-mouse game between the mercenary spyware industry and the defenders, explaining the state of play, how we got here, and what the future may hold.
Bill Marczak is a Senior Researcher at the University of Toronto's Citizen Lab, where he performs cutting-edge research into targeted cyberattacks. Bill's work has uncovered the abuse of tools from several mercenary spyware vendors around the world. Bill's main interests include Internet measurement and spyware forensics.
10:00 am–10:30 am
Coffee and Tea Break
10:30 am–12:10 pm
Embedded, Automotive, and Platform Security
HotWire: Real-World Impersonation and Discharge Attacks on Electric Vehicle Charging Systems
Kuan Yu Chen, National Taiwan University of Science and Technology; Md Hasan Shahriar, Virginia Tech; Wen Wei Li and Shi Cho Cha, National Taiwan University of Science and Technology; Wenjing Lou, Virginia Tech
Real-Time Compromise: Investigating RTC Security in Consumer IoT
Victor Goeman, Tom Cordemans, Christoph Sanders, Jorn Lapon, and Vincent Naessens, DistriNet - KU Leuven
DisARMed: Attacking ARM TrustZone from Userspace with Memory Aliasing
Matthew Bowden and Jacqueline Henes, University of Birmingham; David Oswald, Durham University; Mihai Ordean, University of Birmingham
Security Analysis of LTE Connectivity in Connected Cars: A Case Study of Tesla
Evangelos Bitsikas, Jason Veara, and Aanjhan Ranganathan, Northeastern University
SoK: 20 Years of Power, Privilege, and Peril in x86 System Management Mode
Antonis Louka and Jo Van Bulck, DistriNet, KU Leuven
12:10 pm–1:40 pm
Lunch
1:40 pm–3:00 pm
Program Analysis and Fuzzing
SemSan: A Configurable Sanitizer for Detecting Semantic Bugs
Moritz Sanft and Flavio Toffalini, Ruhr University Bochum
FuzzBT: Holistic-State-Guided Fuzzing for Bluetooth Host Stack in Kernels
Sungwoo Kim, Purdue University; Hui Peng, Google, Inc; Imtiaz Karim, The University of Texas at Dallas; Ruoyu Wu, Purdue University; Jianliang Wu, Simon Fraser University; Elisa Bertino, Purdue University; Mathias Payer, EPFL; Dave (Jing) Tian, Purdue University
Squeezing Juicy Variant Bugs Out of Modern Browsers
Han Zheng, EPFL; Flavio Toffalini, Ruhr University Bochum; Qiang Liu and Mathias Payer, EPFL
SoK: Multi-Layer Indirect Call Analysis in the Real World
Yufei Du, Georgia Institute of Technology; Vasileios P. Kemerlis, Brown University; Michalis Polychronakis, Stony Brook University; Fabian Monrose, Georgia Institute of Technology
3:00 pm–3:30 pm
Coffee and Tea Break
3:30 pm–4:50 pm
Hardware Security
Swarm in EM Hay: Particle Swarm-Guided Probe Placement for EM SCA
Dev Mehta, Seyedmohammad Nouraniboosjin, Maryam Saadat Safa, Shahin Tajik, and Fatemeh Ganji, Worcester Polytechnic Institute
Breaking Infrared Recapture Detection: Optical-Synthesis Attacks and Depth-Aware In-Sensor Countermeasure
Tetsu Ishizue, The University of Electro-Communications; Sara Rampazzi, University of Florida; Takeshi Sugawara, University of Electro-Communications
PowerHooK: Enabling Software-Based Power Side Channels against AMD SEV Technologies via Transient-Execution Replay
Mathias Oberhuber, Martin Unterguggenberger, and Martin Wistauder, Graz University of Technology; Andreas Kogler, Graz University of Technology Alumni; Rishub Nagpal and Stefan Mangard, Graz University of Technology
Flash [Re]Loaded: Body Bias Injection on Flash Memory
Valentin Huber and Marc Schink, Fraunhofer AISEC, Technical University of Munich (TUM)
9:00 am–10:20 am
Machine Learning, Large Language Models, and Cyber Reasoning Systems
You Have Been LaTeXpOsEd: A Large-Scale Systematic Analysis of Information Leakage in Preprint Archives Using Large Language Models
Richard A. Dubniczky and Bertalan Borsos, Eötvös Loránd University, Hungary; Tamás Bisztray, University of Oslo, Norway; Norbert Tihanyi, Technology Innovation Institute, UAE
Are Neuro-Inspired Multi-Modal Vision-Language Models Resilient to Membership Inference Privacy Leakage?
David Amebley and Sayanton Dibbo, University of Alabama
LIMA: Defining, Benchmarking and Detecting Cross-Layer Vulnerabilities in LLM Inference Frameworks
Sanjib Kumar Sen, Hannah Longoria, and Bozhen Liu, Texas A&M University - Corpus Christi
OSS-CRS: Liberating AIxCC Cyber Reasoning Systems for Real-World Open-Source Security
Andrew Chin, Dongkwan Kim, Yu-Fu Fu, Fabian Fleischer, and Youngjoon Kim, Georgia Institute of Technology; HyungSeok Han, Microsoft; Cen Zhang, Brian Junekyu Lee, and Hanqing Zhao, Georgia Institute of Technology; Taesoo Kim, Georgia Institute of Technology and Microsoft
10:20 am–10:50 am
Coffee and Tea Break
10:50 am–12:10 pm
Software Security and Malware Analysis
Defective by Design: Universal Recovery of All Widevine-Protected Content on Desktop Environments
Florian Roudot and Mohamed Sabt, Univ Rennes, CNRS, IRISA
Evading and Crashing Anti-Malware Solutions via Data Collection Overloading During Analysis Serialization
Evgenios Gkritsis and George Stergiopoulos, Athens University of Economics and Business; Constantinos Patsakis, University of Piraeus
Onelogon: Taking Over Active Directory Accounts via Netlogon
Alexander Neff, Tobias Holl, and Kevin Borgolte, Ruhr University Bochum
SoK: The Constant Time Model
Billy Brumley, Rochester Institute of Technology
12:10 pm–1:40 pm
Conference Luncheon
1:40 pm–2:10 pm
Invited Talk
A Dummy's Guide to Agentic Exploit Generation
Connor Glosner, Purdue University
Agentic AI has reduced the time between "I found a vulnerability" and "I have a working proof-of-concept", but that speed is only an asset if it comes with discipline. This talk walks through how LLM-driven agents can be wired into an exploit generation workflow: automating the tedious parts of testing, such as synthesis, payload iteration, and PoC scaffolding against scoped targets, while keeping a human firmly in the loop on the decisions that matter. Using the Linux kernel as a case study, the talk illustrates how this approach can turn crashes found by fuzzers into working proof-of-concepts.
2:10 pm–2:40 pm
Coffee and Tea Break
2:40 pm–4:20 pm
Mobile, Wireless, and Cellular Protocol Security
Protocol Prying: Systematic Vulnerability Research in the AirDrop and Android Quick Share Proximity Transfer Protocols
Arash Ale Ebrahim and Nils Ole Tippenhauer, CISPA Helmholtz Center for Information Security
Exploiting Android Apps with Counterfeit Art
Rokhaya-Diamil Fall and Philipp Mao, EPFL; Martin Wagner, Asymmetric Research; Mathias Payer, EPFL
Practical Attacks on a Decentralized Secure Messenger Session
Kota Urushigaki, The University of Osaka; Hayato Kimura, NICT & The University of Osaka; Atsushi Tanaka and Takanori Isobe, The University of Osaka
CATana: On the Dangers of SIM-Originating AT Commands
Tomasz Lisowski, University of Birmingham; Kristian Covic, Ruhr University Bochum; Marius Muench, University of Birmingham
This paper is currently under embargo. The final paper PDF and abstract will be available on the first day of the conference.
SoK: Insecurity of Cellular Basebands
Henri Carnot and Aurélien Francillon, EURECOM
4:20 pm–4:30 pm
Closing Remarks
4:30 pm–6:00 pm
Demo/Poster Session and Happy Hour
A cornerstone of the USENIX WOOT Conference is to bring together academics and practitioners—hackers of all sorts—to discuss and share offensive security research. To help those conversations get started, WOOT '26 is seeking proposals for Demos and Posters. See the Call for Demos and Posters.