List of thesis topics (updated on 18.09.2025)

In addition to the topics listed below, students are encouraged to propose their own topic ideas.

AI-based grading of homework assignments

Design and implement an AI-powered semi-automated system to grade and provide feedback on assignments for the Applied Cryptography and Web Security courses.

Tags: AI, LLM, automation

Students enrolled in the Applied Cryptography and Web Security courses are required to submit weekly homework through Moodle. The nature of these assignments varies depending on the course:

  • Applied Cryptography: Tasks involve Python programming.
  • Web Security: Assignments may include free-form written answers, webpages demonstrating proof-of-concept attacks, and screenshots illustrating key observations or results.

For the Applied Cryptography course, the correctness of Python solutions can be automatically checked using a test script. Beyond simple functionality, the AI grading system should be capable of analyzing the submitted code and offering feedback when implementations are less than optimal. We have compiled a list of common recommendations and feedback, which can be used to guide the AI's responses.

Your task is to identify and select the best AI tool (using online API or offline LLM) for grading these submissions. Using this tool, design a framework of templates and instructions that enable the AI to assess assignments effectively. You will then validate your solution by benchmarking it against manual grading done on submissions from the previous semesters.

Additionally, your solution should include a mechanism to detect plagiarism and flag submissions that lack originality.

Students involved in this project may receive financial compensation for their contributions.



Using a mobile device as an NFC card reader for a desktop computer

Implement a solution that allows a smartphone to function as a contactless smart card reader for a desktop computer (NFC phone 2 PC).

Tags: NFC, smart card, mobile app, relay service

Most modern smartphones (both Android and iOS) include built-in NFC (Near Field Communication) capabilities. However, using NFC with a desktop computer requires a dedicated and often expensive external USB NFC card reader.

The project aims to eliminate the need for such hardware by enabling a desktop computer to use a mobile device's NFC functionality as if a physical NFC reader were connected. To achieve this, a communication channel must be established between the desktop and the mobile device, effectively emulating a virtual smart card reader on the desktop.

A basic prototype of this solution has already been developed. It includes:

  • An Android app that runs on an NFC-capable smartphone.
  • A virtual smart card device driver called "vpcd", which runs on the desktop computer.
  • The vpcd service listens on localhost:35963 for incoming connections from the mobile app.

The prototype suffers from key architectural limitations:

  • Both devices must be on the same local netwok.
  • Communication between the devices is unencrypted.

The main goal is to redesign the system architecture to support secure, end-to-end encrypted communication over the Internet, using a mediation (relay) service.

Tasks:

  • Develop a lightweight mediation (relay) service, hosted on a server with a publicly accessible IP address. This service will securely relay encrypted messages between the desktop and mobile devices.
  • Implement a desktop wrapper service to interface between the "vpcd" serice and the mediation service. Alternatively, integrate this functionality directly into the "vpcd" service.
  • Extend the Android app to support communication via the mediation service.
  • Develop an iOS app that replicates the functionality of the Android app.
  • Write basic documentation, including an overview of the solution's architecture and a description of the secure communication protocol (e.g., AES-GCM encryption).

The source code of the current prototype is available and the final solution also should be open-source.

Links:
https://frankmorgner.github.io/vsmartcard/remote-reader/README.html
https://f-droid.org/packages/com.vsmartcard.remotesmartcardreader.app/
https://frankmorgner.github.io/vsmartcard/virtualsmartcard/README.html
https://github.com/frankmorgner/vsmartcard



Digital signature validation vulnerability CVE-2025-??? in Estonian ID-Software

Reverse engineering and analysis of a recently fixed vulnerability in Estonian ID-Software v25.8.

Tags: digital signature validation, software vulnerability

On August 20, 2025, the Information System Authority (RIA) released version 25.8 of the Estonian ID-software. According to the release notes, the update includes improvements to the validation of digital signatures.

However, no further technical details were provided about the nature of the issue or the vulnerability that was addressed.

The goal of this task is to identify and analyze the vulnerability that was silently fixed in version 25.8, using available source code changes and related artifacts.

Student tasks:

  • Review and compare the source code of ID-software version 25.8 with the previous version to identify changes related to digital signature validation.
  • Reverse engineer the fixed vulnerability based on these changes.
  • Analyze the root cause and potential impact of the vulnerability in practical scenarios.
  • Implement a proof-of-concept attack that demonstrates how the vulnerability could have been exploited prior to the fix.
  • Optionally, document possible mitigations and recommendations to prevent similar issues in the future.

Links:
https://www.id.ee/en/article/ria-soovitab-kasutajatel-uuendada-id-tarkvara-eng/
https://www.id.ee/en/article/id-software-versions-info-release-notes/



Security of radio transmission used by smart water meters in Tartu

This project investigates the security of radio transmissions from Kamstrup MULTICAL 21 smart water meters in Tartu, focusing on encryption, transmitted data, and potential privacy risks.

Tags: Wireless M-Bus, IoT security, smart meter, radio protocols

The water utility company Tartu Veevärk AS provides customers in Tartu with smart water meters, specifically the Kamstrup MULTICAL 21 model. These meters are capable of transmitting daily water usage readings remotely using the Wireless M-Bus protocol. Allegedly, transmissions occur once per day during the night and are received by antennas installed on the building at Õpetaja 9, Tartu.

The aim of this research project is to analyze the security and privacy of the radio communication used by these smart water meters.

Project tasks:

  • Investigate the cryptographic mechanisms used in the transmission process. Identify the type of encryption (if any) used. Analyze key management and authentication mechanisms.
  • Determine the structure and content of the data transmitted over the radio channel.
  • Assess potential security and privacy risks, including unauthorized access to meter readings. The possibility of spoofing or manipulating transmitted data. Privacy concerns from the ability to infer user behavior.
  • If possible, develop a proof-of-concept system that demonstrates the ability to detect and identify buildings equipped with these meters, and the ability to intercept and decode meter readings transmitted in the vicinity.

For research purposes, a Kamstrup MULTICAL 21 water meter (including the necessary encryption keys) can be legally purchased from Ropka KVH, enabling hands-on analysis of the transmission protocol and cryptographic measures.

Links:
https://tartu.postimees.ee/7196620/miks-ei-ole-tartlaste-elamistes-kaugloetavaid-veearvesteid
https://optimatic.ee/en/products/remote-reading-water-meters/wired-system-m-bus/kamstrup/
https://documentation.kamstrup.com/docs/flowIQ_3100/en-GB/_Overview_/CONT3E7622E6A39642C3B4BD079980432D86/
https://ropka.ee/pood/?v=08a4415e9d59