Marc-andre Labonte

Penetration tester

Back to the list of Speakers and Sessions

Marc-andre Labonte Penetration tester, Desjardins

Marc-andre Labonte was a system administrator for more than a decade at the McGill Genome Center while it was known as the McGill University and Genome Quebec Innovation Center. There, he took part in the design, deployment, operation and maintenance of the data center as it went through multiple upgrade cycles to accommodate ever powerful high throughput genome sequencers coming to market.

Then, he joined the ETTIC team at Desjardins in 2016 as infrastructure penetration tester. Currently doing research and testing on IOT devices, he also presented "Leveraging UART, SPI and JTAG for firmware extraction" workshop at NSEC in 2019. His work is motivated by curiosity and a strong sense of personal privacy in a world of connected devices and data hungry organizations.


Discussion: Hardware

This is a Q&A session.


Q&A and discussion for the hardware block, hosted and moderated by Geneviève Lajeunesse. Questions will be gathered from the audience during the four prior talks.

Workshop: Automated contact tracing experiment on ESP Vroom32

Workshops are first-come first-serve and have a participant limit. Tickets will be distributed (for free) via Eventbrite starting on May 11, 2021.


This workshop aim to teach practical knowledge of automated contact tracing protocols by implementing the Apple-Google one for Covid19 on a ESP Vroom 32 MCU. A Bluefruit LE sniffer will also be used to observe advertisements sent by devices using the Apple-Google exposure notification protocol. See MCUTrace on GitHub: https://github.com/Marc-andreLabonte/MCUTrace

Workshop should go as follows:

Part 1: Quick review on the Apple-Google exposure notification protocol, split into 3 main parts

1- Broadcast of rolling proximity identifiers over Bluetooth LE and scanning for such identifiers transmitted by nearby devices.

2- Transmission of temporary exposure keys, from which rolling proximity indentifiers are generated, to public health authorities upon diagnosis.

3- Key matching protocol occurring on device to determine if the owner was in close proximity to another user who then tested positive, triggering the notification.

Part 2: Setting up and test the Bluefruit LE sniffer

Part 3: Walk-through of the Bluetooth portion of the protocol code that is to be compiled and flashed on the ESP Vroom 32. That covers the scanning code, the advertising code and critical data structures involved.

Part 4: Build, compile and flash the ESP Vroom32. Run the Bluefruit sniffer to see rolling proximity identifiers being transmitted. Play with timeouts to see identifiers being rotated.

Part 5: Conclusion

Participants should prepare by:

Clone the repository on GitHub https://github.com/Marc-andreLabonte/MCUTrace

Review of the Google and Apple Documents, procure ESP Vroom 32 and Bluefruit LE sniffer, setup the ESP IDF tool chain.

Setting up the ESP IDF tool chain: https://docs.espressif.com/projects/esp-idf/en/latest/esp32/get-started/

Google and Apple Documents:

Participants must have the following equipment:
  • Bluefruit bluetooth sniffer, e.g. this one from Mouser -The Android application "Beacon Scope" would work for those who don't have the sniffer.
  • ESP Vroom 32 development board, e.g. this one from Amazon

  • The NSEC 2021 badge is also using the ESP32 and works for the workshop