Federico Maggi

Security Engineer

Amazon Web Services

I enjoy working on various cyber-security topics. I’ve done offensive and defensive research on web applications, network protocols, embedded systems, radio-frequency control systems, industrial robots, cars, and mobile devices.

I’m as a Security Engineer at Amazon Web Services (AWS), in a team focused on platform security.

After more than 10 years, I concluded that I’m still around in the infosec area because it gives me so many opportunities to solve new exciting problems every day.

Interests

Systems Security
Applied Security
Data Analysis
Psychology

Education

PhD in Computer Engineering, 2010

Politecnico di Milano
MSc in Computer Engineering, 2007

Politecnico di Milano

Recent Posts

Scalable, Hand-curated Newsletters: A Data-centric, Automatic Workflow

I guess it’s not unique to the cyber-security world, but research and media move pretty fast here, so it’s easy to end up with hundreds of seemingly interestingly articles or blog posts to read every day. Of course, that’s not humanly possible. Let me tell you how I deal with this.

Nov 15, 2021 15 min read

Masked Emotions

Despite this little beast known as COVID-19 pandemic is about to turn 1 year old, many people still feel strange when wearing masks. While wearing a face mask we can’t speak properly and we can’t see others’ mouth, so our experience of a conversation can change, especially if speaking is central in our lives (think of any public figure).

Dec 21, 2020 27 min read

Reading Aloud

Reading long texts has always been a daunting task to me. A rocky mountain I seldom find myself brave enough to start climbing (unless forced to). I’ve never had good reading habits, except for a few, very intriguing novels with a powerful storyline, which I could actually read quite fast.

Dec 14, 2020 12 min read

Smart Manufacturing Security

How do we secure a smart manufacturing system, or a smart factory? Recent incidents such as the ransomware infection that halted production at a major semiconductor foundry in 2018 have already shown the impact of IT-to-OT lateral movement. Moreover, while smart manufacturing systems are isolated from other networks, there is a trend toward less isolation between IT and OT systems.

Jun 8, 2020 5 min read

Smart working, figli, tecnologia e didattica: il racconto e i consigli di un papà che lavora da casa da 4 anni e più

Ci voleva il termine “smart working,” perché “lavoro da casa” in Italia, per molti, proprio non va giù. Sarà cultura, sarà mentalità, sarà la scarsa alfabetizzazione digitale, sta di fatto che è ancora guardato con sospetto da molti datori di lavoro, e con ammirazione e un pizzico di divertimento—quasi ironico (“ah ah ah, guardami lavoro dal divano!

Mar 9, 2020 11 min read

Smart working, figli, tecnologia e didattica: il racconto e i consigli di un papà che lavora da casa da 4 anni e più

See all posts

Recent & Upcoming Talks

The Data Distribution Service (DDS) Protocol is Critical: Let's Use it Securely!

We discovered and disclosed vulnerabilities in most of the OMG Data Distribution Service (DDS) implementations. DDS enables crucial …

Nov 8, 2021 12:00 AM London, UK

Ta-Lun Yen, Federico Maggi, Erik Boasson

Small Wonder: Uncovering Planned Obsolescence Practices in Robotics and What This Means for Cybersecurity

Security in robotics is nothing really new if one considers modern OT and IT approaches, and most security practices translate directly …

Jul 31, 2021 12:00 AM Las Vegas, US

Víctor Mayoral-Vilches, Federico Maggi

Hidden Attack Surfaces of Modern Industrial Automation Systems

Last year we performed a security analysis on a testbed smart manufacturing system using a variety of “unconventional” …

Oct 21, 2020 12:00 AM Stocholm, Sweden

Federico Maggi

Guarding the Factory Floor: Catching Insecure Industrial Robot Programs

What if a perfectly patched industrial manufacturing machine can still harbor for vulnerabilities where no one is looking? What if the …

Sep 12, 2020 12:00 AM Taiwan

Federico Maggi, Marcello Pogliani, Davide Quarta, Stefano Zanero, Marco Balduzzi

PDF Video

OTRazor: Static Code Analysis for Vulnerability Discovery in Industrial Automation Scripts

In this talk, we delve into industrial robot programming, focusing on the security issues arising from the design and implementation …

Aug 5, 2020 12:00 AM Las Vegas, US

Federico Maggi, Marcello Pogliani, Davide Quarta, Stefano Zanero, Marco Balduzzi

PDF Video

See all talks

Recent Publications

RFQuack: A Universal Hardware-Software Toolkit for Wireless Protocol (Security) Analysis and Research

Software-defined radios (SDRs) are indispensable for signal reconnaissance and physical-layer dissection, but despite we have advanced …

Federico Maggi, Andrea Guglielmini

PDF

Smart Factory Security: A Case Study on a Modular SmartManufacturing System

Smart manufacturing systems are an attractive target for cyber attacks, because they embed valuable data andcritical equipment. Despite …

Federico Maggi, Marco Balduzzi, Rainer Vosseler, Martin Rösler, Walter Quadrini, Giacomo Tavola, Marcello Pogliani, Davide Quarta, Stefano Zanero

PDF

Detecting Unsafe Code Patterns in Industrial Robot Programs

To appear

Marcello Pogliani, Federico Maggi, Marco Balduzzi, Davide Quarta, Stefano Zanero

PDF

Rogue Automation: Vulnerable and Malicious Code in Industrial Programming

In this research paper, we reveal previously unknown design flaws that malicious actors could exploit to hide malicious functionalities …

Federico Maggi, Marcello Pogliani, Martino, Vittone, Davide Quarta, Stefano Zanero, Marco Balduzzi, Rainer Vosseler, Martin Rösler

PDF

Attacks on Smart Manufactururing Systems: A Forward-looking Security Analysis

This research presents a systematic security analysis that we performed to explore a variety of attack vectors on a real smart …

Federico Maggi, Marcello Pogliani

PDF

See all publications

Experience

Also check my LinkedIn profile.

Security Engineer

Amazon Web Services (AWS)

Jan 2023 – Present Global

Server platform security.

Research Expert

Huawei AI4Sec

Mar 2022 – Jan 2023 Milano, Italy

Malware analysis research.

Senior Researcher

Trend Micro, Inc.

Jul 2016 – Feb 2022 Global

R&D in the cyber-security area.

Adjunct (a.k.a. Contract) Professor

Politecnico di Milano

Jun 2016 – Jun 2017 Milano, Italy

Teaching (Computer Security).

Visiting Professor

UC Santa Barbara

Oct 2015 – Feb 2016 California, United States

Scientific research in the cyber-security area.

Assistant Professor

Politecnico di Milano

Jan 2014 – Jun 2016 Milano, Italy

Scientific research in the cyber-security area, teaching (Computer Security), research management.

Post-doctoral Researcher

Politecnico di Milano

Jan 2010 – Dec 2014 Milano, Italy

Scientific research in the cyber-security area, teaching (Computer Security, Computer Forensics, Programming).

Visiting Research Scholar

UC Santa Barbara

Sep 2008 – Jun 2009 California, United States

Scientific research in the cyber-security area.

Junior Penetration-testing Consultant

SecureNetwork s.r.l.

Jan 2005 – Dec 2016 Northern Italy

R&D, teaching (Information Security, Malware Analysis), web penetration testing, and vulnerability assessment.

IT Consultant

B.M.S. s.r.l.

Jan 2002 – Dec 2006 Northern Italy

IT and network engineering, deployment, and administration.

IT Consultant

Freelance

Jan 2000 – Jun 2016 Northern Italy

The best way to contact me is via e-mail. Guess what the address might be? I usually answer within 1 day. If that doesn’t happen, feel free to ping me via instant messaging, Slack, Discord, and sometimes on IRC, where I go by “phretor”.

If you need to communicate with my privately, use my Keybase GPG public key (fingerprint: ~~C42B 0CC7 6191 5B69 2C68 E88F 9693 4CDE C0BB EBCF~~ 1F80 C968 F718 D6A1 BC7B 30EA BA2E DAFB 4F24 86BC). If you prefer modern alternatives, yes, I use Signal (and you should, too), and Twitter.