Xiaoyue Ma

Xiaoyue Ma

Ph.D student in Computer Science

Xiaoyue Ma

I am a 4th-year Ph.D. Student at the Department of Computer Science, George Mason University (GMU), under the supervision of Prof. Lannan Luo and Prof. Qiang Zeng. Prior to joining George Mason, I earned the Bachelor degree in Computer Science in 2017 from Northeastern University in Shenyang, China, and obtained the Master degree from the University of Melbourne, Australia, in 2020.

My research mainly focuses on IoT Attacks and Defenses.

I also maintain a deadline countdown website for conferences related to software analysis, security & privacy, and AI: Cybersecurity-Lab-GMU DDL Countdowns.
Contributions through pull requests or merge requests are welcome!!

News

  • (01/2025)[Paper] Our work discovered a fascinating bug in Apple’s system, enabling attackers to turn non-Apple devices into AirTags and leverage iPhones worldwide as “spies.” Apple has patched this bug! Accepted to USENIX Security’25.
  • (12/2024)[Service] I will serve as a member of Artifact Evaluation Committee for Usenix Security 2025!
  • (11/2024)[Award] I received the Student Travel Grant from George Mason University!
  • (07/2024)[Award] I received the Student Travel Grant from Usenix Security!
  • (05/2024)[Paper] Our tool that discovered over 60 zero-day vulnerabilities is accepted to USENIX Security’24.
  • (04/2024)[Service] I will serve as a member of the Local Organization Team for the Information Security Conference (ISC), which will be held in Virginia, USA, in October 2024. We welcome the submission of your best work! Check the Call for Papers (CFP) here!
  • (02/2023)[Paper] Our IoT fuzzing work that found over twenty zero-day vulnerabilities (six CVEs assigned) will be presented at MobiSys’23.

Publications

  • Tracking You from a Thousand Miles Away! Turning a Bluetooth Device into an Apple AirTag Without Root Privileges*
    Junming Chen, Xiaoyue Ma, Lannan Luo, Qiang Zeng. Security’25, Seattle, USA, Aug. 2025

This work discovered a fascinating bug in Apple’s system. Exploiting this bug, an attacker could turn a non-Apple device into an AirTag, making all iPhones worldwide act as free “spies” to report the location of the device. Apple has urgently patched this bug!

  • From One Thousand Pages of Specification to Unveiling Hidden Bugs: Large Language Model Assisted Fuzzing of Matter IoT Devices
    Xiaoyue Ma, Lannan Luo, Qiang Zeng.
    Security’24, Philadelphia, USA, Aug. 2024

This work has discovered over 60 vulnerabilites and 3 CVEs have been assigned: CVE-2023-42189,CVE-2023-45955,CVE-2023-45956.

  • No More Companion Apps Hacking but One Dongle: Hub-Based Blackbox Fuzzing of IoT Firmware
    Xiaoyue Ma, Qiang Zeng, Haotian Chi, Lannan Luo
    MobiSys’23, Helsinki, Finland, June. 2023
    >>[PDF]

This work has discovered over twenty zero-day vulnerabilities and 6 CVEs have been assigned: CVE-2023-24678, CVE-2022-47100, CVE-2023-29780, CVE-2023-29779, CVE-2023-34596, CVE-2023-34597.
Artifact Review and Badging: Artifacts Evaluated – Functional v1.1 and Artifacts Evaluated – Reusable v1.1

Academic Service

Reviewer of Refereed Conferences

  • VTC’23, 24: IEEE Vehicular Technology Conference
  • ICCC’23, 24: IEEE/CIC International Conference on Communications in China
  • GLOBECOM’23,24: IEEE Global Communications Conference
  • ICCT’23, 24: IEEE International Conference on Communication Technology
  • PIMRC’23, 24: IEEE International Symposium on Personal, Indoor and Mobile Radio Communications
  • INFOCOM Workshop’23, 24: IEEE International Conference on Computer Communications Workshop

Reviewer of Refereed Journals

  • IEEE Transactions on Mobile Computing
  • IEEE Internet of Things Journal
  • IEEE Transactions on Vehicular Technology
  • IEEE Communications Magazine
  • ACM Transactions on Computing Education
  • Journal of Computer Security
  • Springer Peer-to-Peer Networking and Applications

Teaching Experience

  • Spring 2023, CS468, Secure Programming and Systems, Teaching Assistant.