I am a Professor of Information Security at the Information Security Group at Royal Holloway, University of London and the Director of the Smart Card and IoT Security Centre. My main research areas include trusted execution environments, embedded devices and cyber physical system security, smart cards and RFIDs, avionics and drone security, automotive, payment and transport systems, mobile phone/NFC/secure element security, ambient sensors, Internet-of-Things (IoT) security.

Internet-of-Things (IoTs)

I am particularly interested in providing countermeasures for weaknesses and attacks on IOT devices. I have supervised a number of projects examining the security of smart locks, web cams, DVRs, smart watches, and other “smart” devices.

Payment System Security

Amongst my main research interests is the security of payment systems, fair exchange [CP16] and anonymity [CP13] protocols. We have also been conducting research in the field of bitcoins and fair exchange protocols [CP81] and exploring the benefits of block chain technologies for other applications. We have also been conducting research in the field of centralised payment systems [CP89]. This research thread is currently leading us into further research questions [CP95] related to NFC payments [CP79] and we practically examine the efficient use of mobile phone sensors for avoiding relay attacks [CP81].

Secure Application Execution

In this research thread, we are investigating ways that guarantee the secure execution of an application in embedded/cyber physical devices (e.g. smart cards, mobile phones, payment terminals, IoTs, etc.) that might be subjected to a number of intentional attacks (e.g. side channel attacks) and unintentional faults (cosmic radiation). The main aim of this research thread [CP77, CP87, CP94] is to detect any attacks, protect runtime data, provide verified instruction interpretation and control flow verification, in an attempt to recover the underlying platform in a secure state. The practicality of these proposals has been implemented and tested in an FPGA platform implementing a microprocessor.

Trusted Execution Environment

For embedded systems and mobile phones: in this research thread [CP113, CP114, CP130], we looked into the different attestation mechanisms [CP37, CP42, CP49, CP61, CP73] that will allow a device to provide the necessary assurance that it operates in a secure and safe mode. This includes preventing any attacks by identifying any vulnerabilities or modifications (at the software level) of the underlying platform. This research thread is also examining the security provisions of a number of trusted execution environments such as ARM TrustZone and Intel SGX, in order to provide security enhancements [CCP105, CPP114, CP122, CP130].

Smart Card OS and Platforms

We have been conducting research in smart card technology and associated operating systems and platforms since 1995. We have developed our own smart card simulator upon which we will have full control of which faults are introduced. We have initiated new protocols that will enable to dynamically verify static certificates (e.g. common criteria) against on-the-fly generated attestation results [CP7, CP16, CP97].

Embedded System Security

I am particularly interested in the interactions between hardware and software for the secure operation of mobile devices platforms and OSs. We are exploring hardware and software binding along with software countermeasures and attestation micro kernels that will safeguard the overall security of the underlying platform.

Security of RFID Tokens

Grouping proofs push the boundaries of token and reader interactions towards the secure authentication of multiple tokens within acceptable time frames, which has lead into a number of publications [67, 66, 55]. We have been examining the security of low-cost RFID authentication protocols and we were successful in identifying unknown vulnerabilities in existing systems along with proposing efficient authentication protocols [93,102].


As part of our research effort in the field of automotive security, we  investigated the “security” of CANBUS [CP92, CP93] and the use of mobile devices for attestating the current status of vehicle security [CP83]. We have examined existing industrial proposals (e.g. the EVITA project) and, based on our analysis, we have suggested a number of improved protocols, related with safety and security measures. These are implemented in commercial Electronic Control Units (ECUs) and they are also analysed using mechanical tools (CasperFDR and Scyther). [CP111]}


I am also particularly interested in the secure deployment and utilisation of hardware security sensors and Electronic Control Units (ECUs) in avionics and automotive environments. I was, in fact, the PI in the Secure High availability Avionics Wireless Networks (SHAWN) project (funded by EPSRC and TSB), which provided security expertise and advice in a number of industrial project partners. As a result of our work, we have published a few papers, [CP130, CP137, CP138] with paper [CP99] winning the best conference paper in the security session of a major avionics conference.

Software and Hardware Binding

In this research thread [CP106, CP123], we consider a very powerful adversary model that involves an attacker being able to bypass the tamper resistance of individual nodes in cyber-physical systems. In essence, the attacker is able to read the contents of different memories and, as a result, any protection based on the tamper resistance of the chip (stored cryptographic keys) will be rendered useless. We are proposing a model of different hardware intrinsic functions [CP98] that will allow the binding of software to a specific hardware both for IP protection but also for protection against counterfeit, reused, repackaged products.

Mobile Device Security

Mobile devices have become equivalent to mainstream and powerful computing devices. We are examining the underlying security mechanisms for secure application installation, privilege escalation, permission enforcement and provision of forensic tools.

Security Protocol Design

Currently, there are a number of secure channel protocols that do not take into account the specific characteristics (e.g. processing overheads, communication buffers, etc.) of the underlying technology utilised by different devices. We have proposed, in the following papers a number of secure channel protocols that were designed specifically by taking into account all these factors.

Near Field Communication Security

Near Field Communication offers new communication possibilities for mobile devices but at the same time it introduces a number of open ended security questions. Among them we encounter the provision and operation of a trusted element and relay attacks. We performed, probably, the first NFC security papers related to relay vulnerability in mobile devices [74, 70, 66, 62, 61] in the world.

New Usage of Side-Channel Leakage

This is the result of a completely new way of thinking into side channel leakage on embedded devices. Up to today, side channel leakage was used, in order to break into systems and algorithms. However, we propose that it can be used, in order to fingerprint a platform and in order to make sure that the secure application execution is verified [98].

Transport System Security

We have investigating the security requirements of NFC handsets, along with their perceived security advantages and disadvantages, in the transport industry. This thread of work also involves examining the use of NFC handsets as ticketing devices taking into account tokenization, performance and security requirements.

Verification of Security Protocols

We have been looking into provable security through the utilization of formal methods and automated protocol analysis tools like Casper/FDR, Avispa, etc. I would like to be able to extend the limitations of some of these tools, for example Casper/FDR, in order to be able to handle the specific requirements and operational characteristics of a number of platforms and protocols, e.g. smart metering and RFIDs.

User Centric Devices

In this research thread, we are proposing a user centric model of ownership for a number of personal devices, including smart cards, RFIDs, and mobile phones. The nature of the above operational environments create specific research questions in terms of how the applications will be downloaded, installed, decommissioned and attestated.

Software (Games) Content Protection

I am interested in the Digital Rights Management issues and interoperability between mobile phones and other devices, e.g. set-top-boxes, game consoles.

Data Provenance

In Internet of Things (IoT) and Cyber-Physical Systems (CPS), data might be collected from a number of nodes deployed in the field. We are investigating data provenance mechanisms for personal information stored in the cloud.

Video/Computer Game Anticheating

We are also investigating the protection of software, computer games through hardware enhancements. The role of anticheating engines is examined with the view of providing hardware, software, networking and distributed ledger technologies.

Recent Work

[202] Carlton Shepherd, Jan Kalbantner, Benjamin Semal, Konstantinos MarkantonakisA Side-channel Analysis of Sensor Multiplexing for Covert Channels and Application Fingerprinting on Mobile Devices‘.

[201] Carlton Shepherd, Benjamin Semal, Konstantinos MarkantonakisInvestigating Black-Box Function Recognition Using Hardware Performance Counters‘, IEEE Transactions on Computers.

[200] F Thomas-Brans, Thibaut Heckmann, Konstantinos Markantonakis, Damien Sauveron ‘New Diagnostic Forensic Protocol for Damaged Secure Digital Memory Cards‘, IEEE Access, vol. 10, pp. 2 – 7. https://doi.org/10.1109/ACCESS.2022.3158958

[199] Jan Kalbantner, Konstantinos Markantonakis, Darren Hurley-Smith, Carlton Shepherd, Benjamin Semal A DLT-based Smart Contract Architecture for Atomic and Scalable Trading‘ pp. 1-18. <https://arxiv.org/abs/2105.02937

[198] Vihangi Vagal , Konstantinos Markantonakis, Carlton Shepherd A New Approach to Complex Dynamic Geofencing for Unmanned Aerial Vehicles. in 40th IEEE Digital Avionics Systems Conference (DASC). IEEE.

[197] Carlton Shepherd, Konstantinos Markantonakis, Georges-Axel Jaloyan LIRA-V: Lightweight Remote Attestation for Constrained RISC-V Devices. in IEEE Workshop on the Internet of Safe Things: IEEE Security and Privacy Workshops (in conjunction with IEEE Security & Privacy ’21). vol. 1, IEEE, pp. 221-227. https://doi.org/10.1109/SPW53761.2021.00036

[196] Benjamin Semal, Konstantinos Markantonakis, Keith Mayes, Jan KalbantnerOne Covert Channel to Rule Them All: A Practical Approach to Data Exfiltration in the Cloud‘, Paper presented at 19th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom ), Guangzhou, China, 29/12/20 – 1/01/21. https://doi.org/10.1109/TrustCom50675.2020.00053

[195] Jan Kalbantner, Konstantinos Markantonakis, Darren Hurley-Smith, Raja Naeem Akram, Benjamin Semal ‘P2PEdge: A Decentralised, Scalable P2P Architecture for Energy Trading in Real-Time‘, Energies, vol. 14, no. 3, 606, pp. 1-25. https://doi.org/10.3390/en14030606

[194] Carlton Shepherd, Konstantinos Markantonakis, Nico Van Heijningen, Driss Aboulkassimi, Clement Gaine, Thibaut Heckmann, David Naccache ‘Physical Fault Injection and Side-Channel Attacks on Mobile Devices: A Comprehensive Analysis‘, Computers and Security. https://doi.org/10.1016/j.cose.2021.102471

[193] Anjia Yang, Dutliff Boshoff, Qiao Hu, Gerhard Hancke, Xizhao Luo, Jian Weng, Keith Mayes, Konstantinos MarkantonakisPrivacy-preserving Group Authentication for RFID Tags Using Bit-Collision Patterns‘, IEEE Internet of Things Journal. https://doi.org/10.1109/JIOT.2021.3059047

[192] Qiao HU, Bianxia DU, Konstantinos Markantonakis, Gerhard Hancke ‘A Session Hijacking Attack against a Device-Assisted Physical Layer Key Agreement‘, IEEE Transactions on Industrial Informatics, vol. 16, no. 1, pp. 691-702. https://doi.org/10.1109/TII.2019.2923662

Coming Soon!

Carlton Shepherd, Konstantinos Markantonakis,

  “Trusted Execution Environments” 

Konstantinos Markantonakis, Keith Mayes

ISBN: 978-1-4614-7914-7 (Print) 978-1-4614-7915-4 (Online)

Please click for supplementary Information for the book  “Secure Smart Embedded Devices, Platforms and Applications” 

Keith E. Mayes, Konstantinos Markantonakis (eds.): “Smart Cards, Tokens, Security and Applications” ISBN: 978-0-387-72197-2 (Print) 978-0-387-72198-9 (Online) Publisher: Springer US, 2008 DOI: 10.1007/978-0-387-72198-9

Title: Smart Cards, Tokens, Security and Applications Second Edition: 2017 Editors Keith Mayes Konstantinos Markantonakis Publisher: Springer International Publishing Hardcover ISBN:978-3-319-50498-8 DOI: 10.1007/978-3-319-50500-8

Book Editor

Konstantinos MarkantonakisMarinella Petrocchi, Security and Trust Management: 16th International Workshop, STM 2020, co-located with the 25th European Symposium on Research in Computer Security, ESORICS 2020. Guildford, UK, September 17–18, 2020, Lecture Notes and Computer Science Proceedings, Pages: 148 pages, ISBN-10 : 3030598160

[EW4] Damien Sauveron, Konstantinos Markantonakis, Angelos Bilas, Jean-Jacques Quisquater, “Information Security Theory and Practices, Smart cards, Mobile and Ubiquitous Computing Systems, First IFIP TC6/WG 8.8/ WG 11.2, International Workshop in Information Security Theory and Practices (WISTP)”, Lecture Notes in Computer Science (LNCS), Vol 4462, Pages 255, ISBN: 978-3-540-72353-0

P. Samarati, M. Tunstall, J. Posegga, K. Markantonakis, D. Sauveron (Eds.). Information Security Theory and Practices. Security and Privacy of Pervasive Systems and Smart Devices. Fourth IFIP WG 11.2 International Workshop, WISTP 2010, Passau, Germany, April 12-14, 2010. Springer Lecture Notes in Computer Science Series, Vol. 6033, 2010, 386 p. ISBN: 978-3-642-12367-2.

J.A. Onieva, D. Sauveron, S. Chaumette, D. Gollmann, K. Markantonakis (Eds.). Information Security Theory and Practices. Smart Devices, Convergence and Next Generation Networks. Second IFIP WG 11.2 International Workshop, WISTP 2008, Seville, Spain, May 13-16, 2008. Springer Lecture Notes in Computer Science Series, Vol. 5019, 2008, 151 p. ISBN: 978-3-540-79965-8.

D. Sauveron, K. Markantonakis, A. Bilas, A. J.-J. Quisquater (Eds.). Information Security Theory and Practices. Smart Cards, Mobile and Ubiquitous Computing Systems. First IFIP TC6 / WG 8.8 / WG 11.2 International Workshop, WISTP 2007, Heraklion, Crete, Greece, May 9-11, 2007. Springer Lecture Notes in Computer Science Series, Vol. 4462, 2007, 255p. ISBN: 978-3-540-72353-0.

S. Rho , D. Sauveron, K. Markantonakis (Eds.). Special Issue on Advanced Semantic and Social Multimedia Technologies for Future Computing Environment Multimedia Tools and Applications, vol 64, N°2, 2013. Springer.

Book Chapters

Smart Cards: Konstantinos Markantonakis, Keith Mayes, Damien Sauveron, and Michael Tunstall Chapter in H. Bidgoli, Ed., Handbook of Technology Management, vol. 2, Supply Chain Management, Marketing and Advertising, and Global Management, pp. 248–264, Wiley, 2010. [ Ordering Information ]

Smart Cards: Communication Protocols and Applications Konstantinos Markantonakis, Keith Mayes, Damien Sauveron, and Michael Tunstall Chapter in H. Bidgoli, Ed., Handbook of Computer Networks, vol. 3, pp. 251–268, Wiley, 2007. [ Ordering Information ]

Smart Card Security: Konstantinos Markantonakis, Keith Mayes, Michael Tunstall, Damien Sauveron, and Fred Piper Chapter in N. Nedjah, A. Abraham, and L. M. Mourelle, Eds., Computational Intelligence in Information Assurance and Security,  vol. 57 of Studies in Computational Intelligence, pp. 201–233, Springer-Verlag, 2007. [ Springerlink ]

8a. Invited keynote to a major international conference


  • 2019, Edinburgh, Keynote talk, Big Data in Cyber Security, “From Big Computers and Small Data to Small Computers and Big Data”, June 2019
  • 2018, Dubai, Keynote Talk, IEEE International Conference on Signal Processing and Information Security 2018, “Secure Application Execution on IoT Devices – Lessons Learned”
  • 2017, Bucharest, Romania, “Ambient Sensing Based Relay Attack Detection in Smartphone Contactless Transactions”, International Conference on Security for Information Technology and Communications (SECITC) 2017.
  • 2015, Bucharest, Romania, Keynote Talk, 8th International Conference on Security for Information Technology and Communications, SECITC 2015, “Secure and Trusted Application Execution on Embedded Devices”
  • 2012, Nijmegen, The Netherlands, Keynote Talk, The 8th Workshop on RFID Security and Privacy, “Interplay of Business Objectives and Academic Research – Holders of NFC Mobile Service Destiny”
  • 2012, London, UK, Keynote Talk, The 7th International Conference for Internet Technology and Secured Transactions (ICITST-2012) , Smart cards, Secure Elements and NFC Security – The Status Quo”
  • 2012, Hangzhou, China, Keynote Talk, 8th International Conference on Information Security Practice and Experience (ISPEC 2012), “Are smart cards the weakest link? Is `practical information security research’ still significant?”

  8b. An invited symposium/workshop/summer school presentation

  • 2018, Abu Dhabi, Keynote Talk, UAE Cyber-Security Symposium 2018, “Secure and Trusted Application Execution”, Khalifa University.
  • “Cyber Physical System Security”, Intensive Programme on Information and Communications Security (IPICS), Mytilene, Greece, July 2018
  • “Cyber Physical System Security”, Intensive Programme on Information and Communications Security (IPICS), Corfu, Greece, July 2017
  • “Cyber Physical System Security”, Intensive Programme on Information and Communications Security (IPICS), Leuven, Belgium, July 2016
  • “Cyber Physical System Security”, Intensive Programme on Information and Communications Security (IPICS), Mytelene, Greece, July 2015
  • “Secure Application Execution on Cyber Physical Devices”, Summer School on “Design and security of cryptographic algorithms and devices for real-world applications”, Šibenik – Croatia 01 June – 06 June 2014
  • “Embedded System Security Lesson Learned”, Intensive Programme on Information and Communications Security (IPICS), Mytelene, Greece, July 2014
  • “Smart Cards: State-of-the-Art to Future Directions”, Invited Paper, IEEE International Symposium on Signal Processing and Information Technology, December 12-15, 2013 – Athens, Greece.
  • “Cyber Physical Systems”, Intensive Programme on Information and Communications Security (IPICS), Samos, Greece, August 2013.
  • “Smart card Security”, ICareNet 2013, 3rd of December 2012, Network of Excellence – Winter School, Imperial College, London.
  • “Embedded System Security”, Intensive Programme on Information and Communications Security (IPICS), Vienna, Austria, August 2012
  • “Embedded System Security”, Intensive Programme on Information and Communications Security (IPICS), Corfu, Greece, August 2011
  • “Hardware Token Security”, Intensive Programme on Information and Communications Security (IPICS), Samos, Greece, August 2010
  • “Smart card Security”, Intensive Programme on Information and Communications Security (IPICS), Vienna, Austria, August 2009

8c. An invited presentation to another academic department (UK or international)

  • 2019, Khalifa University (UAE), “Embedded system security, bridging theory and practice. The Smart Card and IoT Security Centre (SCC) perspective.”, October 2019
  • 2018, Abu Dhabi, Invited Talk, Department of Electrical Engineering, “Secure and Trusted Application Execution on Embedded Devices”, Khalifa University.
  • Embedded Devices, Platforms and Applications”, Invited Lecture in the MSc Programme in Digital Systems Security, University of Piraeus, Greece, 18 January,   2017
  • Embedded Devices, Platforms and Applications”, Invited Lecture in the MSc Programme in Digital Systems Security, University of Piraeus, Greece, 1st December   2015
  • Embedded Devices, Platforms and Applications”, Invited Lecture in the MSc Programme in Digital Systems Security, University of Piraeus, Greece, 13th January  2015
  • Embedded Systems Security”, Invited Day Course, KTH, Stockholm, Sweden, April 2015.
  • Multi-Application Smart card Operating Systems”, Invited Lecture in the BSc Programme in Computer Science, University of Bordeux and University or Limoges, February and March 2015
  • Embedded System Security”, Khalifa University, April 2014.
  • Multi-application Smart Embedded Devices”, Invited Lecture in the MSc Programme in Digital Systems Security, University of Piraeus, Greece, 13th November 2013
  • University of Athens, MSc in Computer Science, Invited talk on “Embedded System Security”, April 2013.
  • “Smart card Security Theory and Practice”, PRActical aspeCts on SEcurity (PRACSE 09), organised by the Athens Institute of Technology (AIT), June 2009.
  • From Smart card to Smart card system security”, PRActical aspeCts on SEcurity (PRACSE’08), organised by the Athens Institute of Technology (AIT), May 2008.
  • Smart card Security”, Institute of Computer Science (ICS) Foundation for Research and Technology – Hellas (FORTH), Heraklion, Greece, February 2008.

Areas of Expertise

I initially got involved in Information Security consulting projects while pursuing my PhD in Information Security at Royal Holloway. Since then, I have worked on a number of Information Security and Smart Card related projects with numerous high profile clients, and I continue to provide consultancy for a variety of Information Security and Smart Card related areas:

  • Smart Card physical security analysis

  • Multi-application Smart Card migration program planning

  • Project management for financial institutions and transport operators

  • Business case development for chip migration programs

  • Smart Card application (Java card, SIM card, Multos) security review, design and development

  • Smart Card security evaluations (Common Criteria), Security Target and Protection Profile Development

  • Risk analysis on Smart Card technology, protocols and systems

  • Smart Card security protocol design and review

  • Security of mobile phone platforms and secure elements

  • Contactless Smart Card/RFID security and Mifare card technology

Selected Projects

  • I was a part of the team, along with colleagues from the Information Security Group’s Smart Card Centre, which performed a counter expertise analysis of a report into the Dutch OV-Chipkaart transport system in 2008. This was in response to some recently published attacks on Mifare Classic smart cards. For more information please follow these links: ISG_Dutch and SCC_Dutch. This was a high profile piece of work, reported extensively on the internet (see further details here).

  • Since then, our team got involved in further work relating to Mifare and chip migration issues, and planning for the Dutch transport system.

  • I was involved in preparing an evaluation paper for different options in which security controllers can exist in mobile devices. The document was also presented as an ETSI internal document and an early version can be found here.

  • I was also involved in the preparation and delivery of a smart card security training course for the Information Security department of a major financial institution.

  • Security analysis of public key cryptography in Smart card devices and tools with restricted processing resources.

  • Security analysis of a smart card system for the provision of wireless telecommunications services.