Xiaoyue Ma

I am a 4th-year Ph.D. Student at the Department of Computer Science, George Mason University (GMU). Prior to joining George Mason, I earned the Bachelor degree in Computer Science in 2017 from Northeastern University in Shenyang, China, and obtained the Master degree from the University of Melbourne, Australia, in 2020.

My research mainly focuses on IoT Attacks and Defenses.

I also maintain a deadline countdown website for conferences related to software analysis, security & privacy, and AI: Cybersecurity-Lab-GMU DDL Countdowns.
Contributions through pull requests or merge requests are welcome!!

News

(01/2025)[Paper] We introduce a terrifying attack that can turn your computer into an “AirTag” to track you. Apple has patched this bug! Accepted to USENIX Security’25!
(12/2024)[Service] I will serve as a member of Artifact Evaluation Committee for Usenix Security 2025!
(11/2024)[Award] I received the Student Travel Grant from George Mason University!
(07/2024)[Award] I received the Student Travel Grant from Usenix Security!
(05/2024)[Paper] Our tool that discovered over 60 zero-day vulnerabilities is accepted to USENIX Security’24.
(04/2024)[Service] I will serve as a member of the Local Organization Team for the Information Security Conference (ISC), which will be held in Virginia, USA, in October 2024. We welcome the submission of your best work! Check the Call for Papers (CFP) here!
(02/2023)[Paper] Our IoT fuzzing work that found over twenty zero-day vulnerabilities (six CVEs assigned) will be presented at MobiSys’23.

Publications

From One Thousand Pages of Specification to Unveiling Hidden Bugs: Large Language Model Assisted Fuzzing of Matter IoT Devices >>PDF
Xiaoyue Ma, Lannan Luo, Qiang Zeng.
Security’24, Philadelphia, USA, Aug. 2024

This work has discovered over 60 vulnerabilites and 3 CVEs have been assigned: CVE-2023-42189,CVE-2023-45955,CVE-2023-45956.

No More Companion Apps Hacking but One Dongle: Hub-Based Blackbox Fuzzing of IoT Firmware >>PDF
Xiaoyue Ma, Qiang Zeng, Haotian Chi, Lannan Luo
MobiSys’23, Helsinki, Finland, June. 2023

This work has discovered over twenty zero-day vulnerabilities and 6 CVEs have been assigned: CVE-2023-24678, CVE-2022-47100, CVE-2023-29780, CVE-2023-29779, CVE-2023-34596, CVE-2023-34597.
Artifact Review and Badging: Artifacts Evaluated – Functional v1.1 and Artifacts Evaluated – Reusable v1.1

Tracking You from a Thousand Miles Away! Turning a Bluetooth Device into an Apple AirTag Without Root Privileges
Junming Chen, Xiaoyue Ma, Lannan Luo, Qiang Zeng.
Security’25, Seattle, USA, Aug. 2025

We introduce a terrifying attack that can turn your computer into an “AirTag” to track you.
The vulnerability and attack have been acknowledged by Apple and featured in multiple major media outlets:

Academic Service

Technical Program Committee

Security’25 AE: Usenix Security artifacts evaluation, 2025
VTC’25: IEEE Vehicular Technology Conference

Reviewer of Refereed Conferences

VTC’23, 24: IEEE Vehicular Technology Conference
ICCC’23, 24: IEEE/CIC International Conference on Communications in China
GLOBECOM’23,24: IEEE Global Communications Conference
ICCT’23, 24: IEEE International Conference on Communication Technology
PIMRC’23, 24: IEEE International Symposium on Personal, Indoor and Mobile Radio Communications
INFOCOM Workshop’23, 24: IEEE International Conference on Computer Communications Workshop

Reviewer of Refereed Journals

IEEE Transactions on Mobile Computing
IEEE Internet of Things Journal
IEEE Transactions on Vehicular Technology
IEEE Communications Magazine
ACM Transactions on Computing Education
Journal of Computer Security
Springer Peer-to-Peer Networking and Applications

Teaching Experience

Spring 2023, CS468, Secure Programming and Systems, Teaching Assistant.