Skip to main content

About me / Services

Ruben Santamarta

Ruben Santamarta

Independent security researcher · reverse engineering, source code analysis & cyber-physical systems (nuclear & radiation, power grid, solar inverters, SATCOM, avionics, etc.).

Ruben Santamarta is a European independent security researcher with over 20 years of experience in the industry.

He has found and published dozens of vulnerabilities in a variety of targets, such as: desktop software and mobile apps, e-voting platforms, operating systems, Industrial Control Systems, SCADA software, IoT devices, RF controllers, satellite terminals, maritime equipment, solar inverters, avionics, and radiation monitoring systems.

Ruben has presented multiple times at international security conferences, such as Black Hat USA.

His main areas of expertise are reverse engineering, source code analysis, and cyber-physical systems (nuclear, power grid, solar inverters, etc.)

The best way to reach out for work, research, or media inquiries is via LinkedIn. Please send a connection request outlining the purpose of it in the message, connection requests without a message may not be considered.

Connect on LinkedIn →

This page contains a curated selection of publications, media appearances, and conferences from the past 12 years.

2026
Reversemode
A Practical Analysis of Cyber-Physical Attacks Against Solar Photovoltaic Generation in Europe
2025
Reversemode
A New Cyber-Physical Angle in Spain's Blackout
2024
Reversemode
A Practical Analysis of Cyber-Physical Attacks Against Nuclear Reactors
2024
Reversemode
What Really Happened in Chernobyl During the Beginning of the Russian Invasion?
2023
Reversemode
Reversing 'France Identité': the new French digital ID
2022
NSA
Protecting VSAT communications
Reference to his SATCOM research in the advisory.
2022
Reversemode
VIASAT incident: from speculation to technical details
2022
Reversemode
De-Anonymization attacks against Proton Services
2022–24
Reversemode
Finding vulnerabilities in Swiss Post's future e-voting system — Parts 1, 2 & 3
2022
IOActive
Reverse Engineering of DAL-A Certified Avionics: Collins' Pro Line Fusion — AFD-3700
2021
IOActive Blog
A Practical Approach To Attacking IoT Embedded Designs (I) and (II)
2020
IOActive Blog
No buffers harmed: Rooting Sierra Wireless AirLink devices through logic bugs
2020
IOActive Blog
Breaking Electronic Baggage Tags — Lufthansa vs British Airways
2020
IOActive Blog
Warcodes II — The Desko Case
2017
CISA
Mirion Technologies Telemetry Enabled Devices
2016
IOActive Blog
In Flight Hacking System
2013
IOActive Blog
Identify Backdoors in Firmware By Using Automatic String Analysis
2012
IOActive Blog
Inside Flame: You Say Shell32, I Say MSSECMGR
2011
CISA
Schneider Electric Quantum Ethernet Module Credentials

Popular posts from this blog

De-Anonymization attacks against Proton services

  In November 2021 YesWeHack invited me to participate in a private bug bounty program organized by  Bug Bounty Switzerland on behalf of Proton AG.  The scope of the program was quite interesting and heterogeneous, as it covered most of the applications and services offered by Proton, such as ProtonMail and ProtonVPN. As a result, multiple technologies and codebases were in scope, ranging from typescript, in the open-source part of Protonmail, to .NET/Swift used by ProtonVPN apps for Windows and macOS respectively. Proton is well-known for its privacy-driven services offer, so they are based on Switzerland where the legislation seems to match Proton's requirements to provide that kind of services: thus maximizing the privacy of their communications, minimizing the amount of data they log from their users while keeping a law-abiding status.  It wouldn't be realistic to think of Proton users as an homogenous group; you may be using Proton because you're genuinely w...

What Really Happened in Chernobyl During the Beginning of the Russian Invasion?

This blog post contains the web version of my research paper: " Seeing Through the Invisible: Radiation Spikes Detected in Chernobyl During the Russian Invasion Show Possible Evidence of Fabrication ", which was unveiled at BlackHat USA 2023 . It is intended to ease the indexing and dissemination of the information collected during this research.  In a few days, I'll be in Brussels presenting this research.  The original paper (PDF) can be downloaded here . Additional references: https://www.wired.com/story/chernobyl-radiation-spike-mystery/  (Kim Zetter) https://www.zetter-zeroday.com/p/radiation-spikes-at-chernobyl-a-mystery  (Kim Zetter) https://medium.com/war-notes/chornobyl-3-92216d21b223  (Olegh Bondarenko) INDEX Foreword Executive summary Introduction 1. Physical      1986      Resuspension      Transport      Humidity      Traffic 2. Cyber    ...

Finding vulnerabilities in Swiss Post's e-voting system: part 3

Exactly two years ago I brought my blog back to life, after many years of hiatus, with " Finding vulnerabilities in Swiss Post’s future e-voting system - Part 1 ". That was the first of a series of blog posts covering that system. During these two years I've been periodically assessing the security posture of this e-voting solution, as part of their Bug Bounty program , which I personally recommend.   Since the first time I reviewed their codebase a lot of things have changed, for good, as many areas have been dramatically improved. To be honest, from a security perspective the codebase back then was kind of a mess.   When the first Swiss Post e-voting platform was published, back in 2019, it faced some public scrutiny, mostly from the academic community.  As a result, some significant issues were uncovered , so eventually Swiss Post decided to suspend the deployment of the system. That first version had been developed by Scytl , Spanish company specializ...

Beware of Java's String.getBytes

Sometimes there are subtle bugs whose origin can be found in some quirks from the underlying language used to build the software. This blog post describes one of those cases in order to let both fellow security researchers and developers, who didn't know about it, become aware of this potential vulnerable pattern. In fact, I'm pretty sure that similar bugs to the one herein described likely affect a bunch of products/codebases out there. In previous posts , I've already described some bugs in the Swiss Post's future E-voting system. While reading their  Crypto-Primitives specification , which among other things describes the custom Hashing algorithm Swiss Post implemented, I noticed something potentially interesting. Basically, there are 4 different types that are supported: byte arrays, strings, integers and vectors. Before being hashed, strings are converted to a byte array via the ' StringToByteArray ' algorithm. However, by comparing ' StringToByteArray...

Losing control over Schneider's EcoStruxure Control Expert

  During Q2 2022, in view of the geopolitical situation that unfolded after the Russian invasion of Ukraine, I decided that it wouldn't do any harm to kill some bugs in some of the main players within the ICS arena. I focused in those software frameworks that are running on the engineering workstations so, if compromised, attackers would be in a privileged position to manipulate controllers logic, thus enabling sophisticated attacks with a potential physical impact (i.e triton). I responsibly reported a bunch a unauthenticated remotely exploitable bugs to the corresponding vendors. In one case, after being ignored for months, I had to resort to the 'twitter, do your magic' approach and tweeted that I would be disclosing the issues if the situation persisted. It took just few hours for the vendor to get back to me. The positive side is that they found the bugs interesting and all that mess ended up in paid work.   This blog post covers a similar scenario in a different ven...