Joseph Gardiner

Awais Rashid, Joseph Gardiner, Louise Evans

Information Technology (IT) security professionals have ready access to open-source platforms such as Kali Linux. But no such platform exists for Operational Technology (OT) that underpins Industrial Control Systems. We discuss experiences of architecting, building and releasing LINICS, an open-source platform for OT pentesting and security analysis.

Zhiyuan Xu, Joseph Gardiner, Sana Belguith et al.

Safety alignment is critical for the responsible deployment of large language models (LLMs). As Mixture-of-Experts (MoE) architectures are increasingly adopted to scale model capacity, understanding their safety robustness becomes essential. Existing adversarial attacks, however, have notable limitations. Prompt-based jailbreaks rely on heuristic search and transfer poorly, model intervention methods require privileged access to internal representations, and optimization-based input attacks remain output-centric and are fundamentally limited to MoE models due to the non-differentiable routing mechanism. In this paper, we present RouteHijack, a routing-aware jailbreak for MoE LLMs. Our key insight is that safety behavior is concentrated in a small subset of experts, creating an opportunity to steer model behavior by influencing routing decisions through input optimization. Building on this observation, RouteHijack first performs response-driven expert localization to identify safety-critical and harmful experts by contrasting activations under safe refusals and harmful completions. It then constructs adversarial suffixes with a routing-aware objective that suppresses safety experts, promotes harmful experts, and prevents early-stage refusal during generation. At inference time, the optimized suffix is appended to a malicious prompt, requiring only input access. Across seven MoE LLMs, RouteHijack achieves a 69.3\% average attack success rate (ASR), outperforming prior optimization-based attack by $3.2\times$. RouteHijack also transfers zero-shot across five sibling MoE variants, raising average ASR from 27.7\% to 61.2\%, and further generalizes to three MoE-based VLMs, increasing average ASR from 2.47\% to 38.7\%. These findings expose a fundamental vulnerability in sparse expert architectures and highlight the need for defenses beyond output-level alignment.

Zhiyuan Xu, Joseph Gardiner, Sana Belguith

Large language models are typically trained on vast amounts of data during the pre-training phase, which may include some potentially harmful information. Fine-tuning attacks can exploit this by prompting the model to reveal such behaviours, leading to the generation of harmful content. In this paper, we focus on investigating the performance of the Chain of Thought based reasoning model, DeepSeek, when subjected to fine-tuning attacks. Specifically, we explore how fine-tuning manipulates the model's output, exacerbating the harmfulness of its responses while examining the interaction between the Chain of Thought reasoning and adversarial inputs. Through this study, we aim to shed light on the vulnerability of Chain of Thought enabled models to fine-tuning attacks and the implications for their safety and ethical deployment.

Emmanouil Samanis, Joseph Gardiner, Awais Rashid

Asset scanning and discovery is the first and foremost step for organizations to understand what assets they have and what to protect. There is currently a plethora of free and commercial asset scanning tools specializing in identifying assets in industrial control systems (ICS). However, there is little information available on their comparative capabilities and how their respective features contrast. Nor is it clear to what depth of scanning these tools can reach and whether they are fit-for-purpose in a scaled industrial network architecture. We provide the first systematic feature comparison of free-to-use asset scanning tools on the basis of an ICS scanning taxonomy that we propose. Based on the taxonomy, we investigate scanning depths reached by the tools' features and validate our investigation through experimentation on Siemens, Schneider Electric, and Allen Bradley devices in a testbed environment.

Joseph Gardiner, Awais Rashid

Siemens produce a range of industrial human machine interface (HMI) screens which allow operators to both view information about and control physical processes. For scenarios where an operator cannot physically access the screen, Siemens provide the SM@rtServer features on HMIs, which when activated provides remote access either through their own Sm@rtClient application, or through third party VNC client software. Through analysing this server, we discovered a lack of protection against brute-force password attacks on basic devices. On advanced devices which include a brute-force protection mechanism, we discovered an attacker strategy that is able to evade the mechanism allowing for unlimited password guess attempts with minimal effect on the guess rate. This vulnerability has been assigned two CVEs - CVE-2020-15786 and CVE-2020-157867. In this report, we provide an overview of this vulnerability, discuss the impact of a successful exploitation and propose mitigations to provide protection against this vulnerability. This report accompanies a demo presented at CPSIoTSec 2020.

Joseph Gardiner, Marco Cova, Shishir Nagaraja

In this survey, we first briefly review the current state of cyber attacks, highlighting significant recent changes in how and why such attacks are performed. We then investigate the mechanics of malware command and control (C2) establishment: we provide a comprehensive review of the techniques used by attackers to set up such a channel and to hide its presence from the attacked parties and the security tools they use. We then switch to the defensive side of the problem, and review approaches that have been proposed for the detection and disruption of C2 channels. We also map such techniques to widely-adopted security controls, emphasizing gaps or limitations (and success stories) in current best practices.

Joseph Gardiner, Shishir Nagaraja

Communication anonymity is a key requirement for individuals under targeted surveillance. Practical anonymous communications also require indistinguishability - an adversary should be unable to distinguish between anonymised and non-anonymised traffic for a given user. We propose Blindspot, a design for high-latency anonymous communications that offers indistinguishability and unobservability under a (qualified) global active adversary. Blindspot creates anonymous routes between sender-receiver pairs by subliminally encoding messages within the pre-existing communication behaviour of users within a social network. Specifically, the organic image sharing behaviour of users. Thus channel bandwidth depends on the intensity of image sharing behaviour of users along a route. A major challenge we successfully overcome is that routing must be accomplished in the face of significant restrictions - channel bandwidth is stochastic. We show that conventional social network routing strategies do not work. To solve this problem, we propose a novel routing algorithm. We evaluate Blindspot using a real-world dataset. We find that it delivers reasonable results for applications requiring low-volume unobservable communication.