Uncovering Hidden Threats- Dr. Willy R. Vasquez on Video Codecs, CVEs, and Zero Trust

There’s an example of Jeff Bezos getting hacked through WhatsApp. This happened a few years ago. He allegedly received an MP4 file from the Crown Prince of Saudi Arabia, and through that file, attackers were able to gain access to his phone. This is not a theoretical threat—this is something that has already happened in the real world.

Welcome to today’s episode of John Has Trust Issues. Today I’m honored to have Willie Vasquez as my guest. Willie is a security researcher at the University of Texas, and I’m excited to talk with him about security research, how it connects to the broader world of security, and how it impacts the industry, especially in the context of zero trust.

As always, we start with a trust issue. Willie shared that his comes from his cat. He has a young cat that will lie on its back, looking inviting, as if asking for a belly rub. But the moment he goes in to pet it, the cat grabs him. That’s where his trust issues come from. We joked about how cats often behave this way—friendly one moment, aggressive the next—especially when attention stops.

We then moved into Willie’s work as a security researcher. As part of his PhD research, he focuses on finding vulnerabilities before attackers do and building tools to detect and defend against them. His specific area of focus is video codec security. Every video we watch is compressed and then decoded by software or hardware, often using GPUs. That decoding pipeline is complex and can contain vulnerabilities.

Willie explained that this matters because people constantly interact with video content—on websites, in ads, and through messaging apps. Even something as simple as receiving a video message can trigger automatic processing, like thumbnail generation, which uses the same decoding pipeline. If that pipeline has a vulnerability, a user could be compromised without ever opening the video.

He referenced the Jeff Bezos WhatsApp incident as a real-world example of how this can happen. With so many people sharing videos daily, including less technical users, the risk is widespread. When asked how individuals can protect themselves, Willie suggested disabling messages from unknown senders, using features like Apple’s Lockdown Mode, and turning off autoplay in browsers.

On the defensive side, Willie described his work with tools like RLBox, which enables software fault isolation. Modern applications often rely on third-party libraries for parsing content like images, fonts, and videos. With a zero trust mindset, these components shouldn’t be fully trusted. RLBox allows developers to sandbox these libraries so that if one is compromised, it cannot affect the rest of the system.

We connected this to zero trust principles. Willie described zero trust as an evolution of “trust but verify,” rooted in continuous verification. Drawing from his background in cryptography, he discussed concepts like zero-knowledge proofs, where you can validate something without revealing sensitive information. He sees cryptography playing a growing role in future zero trust systems.

He also described how zero trust applies to his work. For trusted video sources, systems can use fast decoding pipelines. For untrusted sources, decoding should happen in isolated environments. This approach minimizes risk while maintaining performance.

The conversation shifted to how security practitioners can apply research like his. Willie highlighted software supply chain security as a major concern, referencing incidents like the XZ backdoor. Developers should consider isolating third-party libraries to reduce risk. He also noted that network-based tools like antivirus systems can themselves become attack vectors if their parsing engines are vulnerable.

We then discussed his experience discovering vulnerabilities in Apple products. His process involves generating test videos using tools he built and running them across different devices to observe crashes or unexpected behavior. Since video decoding should produce consistent results, inconsistencies can indicate memory or information leaks.

Once he identifies a vulnerability, he documents it and submits it through vendor reporting systems. These reports can take months to process. Eventually, validated issues are patched and may receive CVE identifiers.

When asked about media attention, Willie shared that he was surprised and flattered when his work was picked up by journalists. He coordinated with co-authors before responding. While some questioned the impact of vulnerabilities in tools like iTunes on Windows, he emphasized that even niche software can matter in enterprise environments, especially on systems with privileged access.

We also explored his path into security research. He started by hacking video games in middle school, which led him to programming and eventually deeper security concepts. He worked through online challenges, pursued research opportunities, and continued into advanced academic work. While a PhD isn’t required, it allowed him to deeply specialize.

For those interested in entering the field, he recommended studying real vulnerabilities, participating in capture-the-flag challenges, reading technical writeups, and engaging with online communities. There are many resources available, but success requires curiosity and initiative.

Looking ahead, Willie is finishing his PhD and seeking opportunities in security research. Long term, he hopes to continue working in research and potentially become a DARPA program manager, helping fund and guide innovative cybersecurity projects.

As we wrapped up, we returned to a core zero trust idea: if you cannot trust the device processing potentially vulnerable content, you cannot trust the access that follows. Protecting endpoints is essential to securing infrastructure.

This episode was sponsored by StrongDM, the continuous zero trust authorization platform.

Again, Willie, thank you very much for joining us and everybody have a great day. Thank you.