About
Thomas Sermpinis (a.k.a. Cr0wTom) is the Technical Director of Auxilium Pentest Labs and founder of Cr0w’s Place. He has decades of experience in the cyber security industry, especially the automotive, security research, and experience in various types of security testing in vehicles, embedded devices, and low-level software.
He holds OSCP and OSCE certifications and has responsibly disclosed several zero-day vulnerabilities and web vulnerabilities to prominent companies like Google, Qualcomm, Nissan, AT&T, IBM, Acronis, and Xiaomi. Additionally, he dedicates a significant portion of his time to independent research, and delivered talks at numerous highly regarded conferences such as DEF CON, Zer0Con, TROOPERS and others.
In his role as the Technical Director of Auxilium Pentest Labs, he applies his extensive knowledge and experience in the Automotive Cyber Security industry to contribute towards making the world and its streets safer, in collaboration with his team of over 20 researchers. Having conducted over 200 security projects in some of the leading OEMs and Tier 1 suppliers over the years, including penetration testing, security research and architectural consulting, he was part of securing some of the most commonly used vehicles in the industry, while at the same time he also spearheads the research operations of the organization.
In the past, he has held various positions in security and blockchain, in both research and private sectors. Finally, he is deeply involved in the cybersecurity and open-source communities, maintaining a strong social media presence with regular blog and YouTube posts.
Academic
- Master’s Degree on Informatics and Management - Aristotle University of Thessaloniki (AUTH)
- Bachelor’s Degree on Administration and Economics - University of Applied Sciences of Central Macedonia
Experience
- Technical Director - Auxilium Pentest Labs
- Automotive Penetration Testing Lead - Auxilium Cyber Security
- Senior Cyber Security Consultant - Auxilium Cyber Security
- Cyber Security Consultant - Auxilium Cyber Security
- Security Researcher / Founder - Cr0w’s Place
- Cyber Security Analyst - Auxilium Cyber Security
- Blockchain Engineer - Aristotle University of Thessaloniki (AUTH)
- Security Workshop Instructor - HAKIN9 MEDIA SP
- IT Assistant - Thessaloniki International Film Festival - TIFF
- Magazine Editor - Parabing Creations
Talks
- The hack, the crash and two smoking barrels. (And all the times I (almost) killed an engineer.) - DEFCON32 | EKOPARTY 2024
- V2GEvil: Ghost in the wires - DEFCON32 CHV | TROOPERS24 | ScapyCon 2024 | DeepSec 2024
- Need For Speed: The Fight for Ownership - TyphoonCon 2024
- Back to the Future: Old Vulnerabilities Becoming New Again - Zer0Con 2024
- Horror Stories from the Automotive Industry - Chaos Computer Camp 2023 | TROOPERS23 | DeepSec 2023
- UDS Fuzzing and the Path to Game Over - TROOPERS23
- Integration of Near Field Communication technology into Warehouse Management Systems - 12th Student Conference on Management Science and Technology
- Integration of Augmented Reality technology into Warehouse Management Systems - 12th Student Conference on Management Science and Technology
- Traceability Decentralization in Supply Chain Management Using Blockchain Technologies - 4th Olympus International Conference on Supply Chains
- Penetration Testing with Android Devices - Google DevFest 2014 Season of Thessaloniki
Publications
- DeTRACT: a decentralized, transparent, immutable and open PKI certificate framework - International Journal of Information Security (Springer)
- Traceability Decentralization in Supply Chain Management Using Blockchain Technologies - 4th Olympus International Conference on Supply Chains
CVEs
- [CVE-2024-6348] Predictable seed generation after ECU reset
- [CVE-2024-6347] Unauthorized access to ECU functionality
- [CVE-2021-29507] Improper Input Validation leads to buffer overflow in dlt-daemon
- [CVE-2020-26800] Stack based buffer overflow while parsing JSON file in Aleth C++ Ethereum client
- [CVE-2020-24807] File Type Restriction Bypass in Socket.io-file NPM module
- [CVE-2020-15779] Path Traversal in Socket.io-file NPM module
Skills
- OSCE - Offensive Security Certified Expert
- OSCP - Offensive Security Certified Professional
- Penetration Testing
- Security Analysis and Research
- Automotive Security
- Blockchain Security
- Programming and Scripting (Python, C, Solidity, Go, Bash)
- Blockchain Technologies (Ethereum, Hyperledger Fabric)
- Supply Chain Management