Projects

Sasquatch

Raising awareness on privacy and security issues

SASQUATCH is a public display aiming to raise awareness on privacy-sensitive information leaking from smartphones. It uses a network scanner and some data mining to gather private information about visitors' previous whereabouts, and then shows an anonymized version of this data on the public display to draw the visitor's attention. Next, SASQUATCH offers an interactive component that allows people to view the information their own smartphone is leaking in private, and then provides solutions (including a fully-automated smartphone application) for securing against future privacy leaks.

The code for this project is unfortunately not publicly available. However, some papers describing the workings of this system can be found here and here. A TED talk where the SASQUATCH system was used to collect privacy-sensitive information about the audience is available on YouTube.

Wi-Fi PrivacyPolice

Android app providing Wi-Fi security

Wi-Fi PrivacyPolice is an Android application which limits the amount of privacy-sensitive information that is sent out by your smartphone over the air. It does this by making sure that it only tells its surroundings about the Wi-Fi networks it wants to connect to if it is certain that these networks are also available (as opposed to the default, where the preferred network list is sent out continuously). It also prevents 'evil twin' attacks, in which an attacker impersonates a legitimate access points in order to trick devices into connecting to a rogue network.

Wi-Fi PrivacyPolice can be installed from Google Play. Its source code is available on GitHub. A paper describing the workings of privacypolice is available here.

WiFiPi

Involuntary tracking of visitors

The WiFiPi project was started in 2012 as a way to track visitors at a major music festival by capturing their smartphones' signals. The setup was used on multiple occasions, successfully providing a way for festival organisers to monitor hotspots and other crowded areas.

The code for this project is unfortunately not publicly available. However, a paper describing the workings of this system can be found here. Another paper using the mobility data captured by the WiFiPi system to simulate large crowds is available here.

NoFix

Firefox extension protecting against session attacks

NoFix is a Firefox extension which aims to protect the user against session fixation and session hijacking attacks, even when no countermeasures are in place at the server side. It works by checking for every cookie via which channel it was set, and via which channel it is read, in order to prevent unauthorized access.

NoFix, together with its source code, is available on GitHub. Its inner workings are extensively described in a master's thesis.

Publications

Bram Bonné, "Assessing and improving security and privacy for smartphone users", PhD dissertation at UHasselt, Hasselt, 2017 [pdf]

Bram Bonné, Sai Teja Peddinti, Igor Bilogrevic and Nina Taft, "Exploring decision making with Android's runtime permission dialogs using in-context surveys", Thirteenth Symposium on Usable Privacy and Security (SOUPS 2017), Santa Clara, CA, 2017 [pdf]
IAPP SOUPS Privacy Award!

Bram Bonné, Gustavo Rovelo, Peter Quax and Wim Lamotte, "Insecure Network, Unknown Connection: Understanding Wi-Fi Privacy Assumptions of Mobile Device Users", Information, vol. 8, no. 3, July 2017 [pdf]

Pieter Robyns, Bram Bonné, Peter Quax and Wim Lamotte, "Noncooperative 802.11 MAC Layer Fingerprinting and Tracking of Mobile Devices", Security and Communication Networks, vol. 2017, May 2017 [pdf]

Bram Bonné, Peter Quax and Wim Lamotte, "The Privacy API: Facilitating Insights In How One's Own User Data Is Shared", 2017 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), Paris, 2017 [pdf]

Pieter Robyns, Bram Bonné, Peter Quax and Wim Lamotte, "Assessing the Impact of 802.11 Vulnerabilities using Wicability", The 9th ACM Conference on Security & Privacy in Wireless and Mobile Networks, Darmstadt, 2016.

Bram Bonné, Wim Lamotte, Peter Quax and Kris Luyten, "Raising awareness on smartphone privacy issues with SASQUATCH, and solving them with PrivacyPolice", The 11th International Conference on Mobile and Ubiquitous Systems: Computing, Networking and Services (ACM Mobiquitous '14), London, 2014 [pdf]

Bram Bonné, Peter Quax and Wim Lamotte, "Your Mobile Phone is a Traitor! — Raising Awareness on Ubiquitous Privacy Issues with SASQUATCH", International Journal on Information Technologies & Security, vol. 6, no. 3, pp. 38—53, Sep. 2014 [pdf]

Pieter Robyns, Bram Bonné, Peter Quax and Wim Lamotte, "Exploiting WPA2-Enterprise Vendor Implementation Weaknesses through Challenge Response Oracles", The 2014 ACM conference on Security and privacy in wireless & mobile networks (ACM WiSec '14), Oxford, 2014 [pdf]

Bram Bonné, Arno Barzan, Peter Quax and Wim Lamotte, "WiFiPi: Involuntary Tracking of Visitors at Mass Events", The 7th IEEE WoWMoM Workshop on Autonomic and Opportunistic Communications (IEEE AOC '13), Madrid, 2013 [pdf]

Arno Barzan, Bram Bonné, Peter Quax, Wim Lamotte, Mathias Versichele and Nico Van de Weghe, "A Comparative Simulation of Opportunistic Routing Protocols Using Realistic Mobility Data Obtained From Mass Events", The 7th IEEE WoWMoM Workshop on Autonomic and Opportunistic Communications (IEEE AOC '13), Madrid, 2013 [pdf]

Bram Bonné, Arno Barzan, Peter Quax and Wim Lamotte, "Simulating the Behavior of Opportunistic Network Protocols at Mass Events with ns-3", The Workshop on ns-3 (WNS3) - held in conjunction with the sixth International Conference on Simulation Tools and Techniques (SIMUTools 2013), Cannes, 2013

Bram Bonné, "Improving session security in web applications", Master's thesis at K.U.Leuven, Leuven, 2011 [pdf]

In addition, Bram performed reviews for IEEE Transactions on Information Forensics and Security and IDAACS.

Talks, presentations and other media

Sept 7, 2014"Van één Pukkelpopper op de drie konden we de locatie volgen" [newspaper article] (Dutch)
Sept 21, 2015VTM Nieuws: "Zo houdt Facebook iedereen in de gaten" [News video] (Dutch)
June 17, 2015ECG Congres gemeentemanagement: "Hoe veilig zijn uw data?"
May 9, 2015Science Festival: "Je smartphone verklikt je" [newspaper article] (Dutch)
September 25, 2014Talk at the European Commission's 9th Security and Safety Symposium: "Your smartphone is a traitor!" [slides]
June 7, 2014TEDxGhent talk: "Your smartphone is leaking your information" [YouTube video]
SASQUATCH and Wi-Fi PrivacyPolice were featured on Forbes and XDA Developers.
WiFiPi got cited by one of Bram's heroes in the book "Data and Goliath".

Teaching

Students

Axel Faes, "Machine learning techniques for flow-based network intrusion detection systems", Bachelor's thesis, 2016.
Pieter Robyns, "Wireless Network Privacy", Master's thesis, 2013.
Aäron Thijs, "HTML5 security in modern web browsers", Master's thesis, 2013.
Steve Bottelbergs, "A comparative study on the security of open source web content management systems", Master's thesis, 2013.
Jens Vandenreyt, "Security of NFC-based systems", Master's thesis, 2013.
Pieter Vanderlinden, "A comparative study of web vulnerability scanners", Master's thesis, 2013.

Courses

"Security en computernetwerken", Master INF — study guide / course page
"Gedistribueerde systemen", Master INF — study guide / course page
"Netwerksoftware en -architecturen", Master INF — study guide / course page
"Multimediatechnologie", Master INF-MUL — study guide / course page
"Computernetwerken", 3e Bachelor INF — study guide / course page
"Software engineering", 3e Bachelor INF — study guide / course page
"Trimesteroverschrijdend project", 2e Bachelor INF — study guide / course page
"Web programming", 1e Bachelor INF — study guide / course page

Education

Hasselt University

PhD computer science / 2011-2017

Performing privacy and security research, focused on smartphones, wireless networks and the Internet.

Teaching students on a variety of networking, security and multimedia topics.

PhD dissertation: "Assessing and improving security and privacy for smartphone users"

Katholieke Universiteit Leuven

Master engineering: computer science / 2009-2011

Specialization software security
Graduated cum laude

Master thesis: "Improving session security in web applications" (awarded the Luciad master thesis prize)

Elective courses in fields of Security, Management, Law, Cryptography, Machine Learning, Computer Networks and Collective Intelligence (course on Biology in Computer Science at ParisTech).

Hasselt University

Bachelor computer science / 2006-2009

Specialization information and communication technology
Graduated magna cum laude

Bachelor thesis: "A multi-device presence agent"

Elective courses in fields of Databases, Compilers, Astrophysics and Multimedia.

Virga-Jessecollege

Science-Mathematics / 2000-2006

Elective courses in Philosophy and Photography

Experience

Google

Software Engineer / 2017-present

Software engineer in the applied privacy research team.

Universiteit Hasselt

PhD student & teaching assistant / 2011-2017

Performing privacy and security research, focused on smartphones, wireless networks and the Internet.

Teaching students on a variety of networking, security and multimedia topics.

Google

Software Engineering & Research Intern / 2016

Research on smartphone user privacy.

Mobile Vikings (VikingCo)

Software engineer / 2009

Developing Python modules for the backend of a Django-based website and writing a statistics monitoring application.

Languages

Natural

DutchNative
EnglishExcellent
FrenchAverage

Digital

C++, CExcellent (with knowledge of Qt and STL libraries)
PythonExcellent (with knowledge of Django)
JavaVery good (with knowledge of Android programming, J2EE and JSP)
JavascriptVery good
SQLVery good
HTML, CSSVery good
PHPAverage
Bash scriptingAverage
PrologBasic
HaskellBasic
PerlBasic