pith. sign in

arxiv: 2512.15387 · v2 · submitted 2025-12-17 · 💻 cs.CR

Talking to the Airgap: Exploiting Radio-Less Embedded Devices as Radio Receivers

Paul Staat , Daniel Davidovich , Christof Paar This is my paper

Pith reviewed 2026-05-16 22:04 UTC · model grok-4.3

classification 💻 cs.CR
keywords airgapembedded devicesRF sensitivityparasitic receptionwireless infiltrationcommand and controlelectromagnetic interferencemicrocontrollers
0
0 comments X

The pith

Malicious code turns ordinary microcontrollers into radio receivers by exploiting unintended RF sensitivity in their circuitry.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper shows that air-gapped embedded devices can receive wireless commands even without any radio hardware. Malicious code leverages parasitic sensitivity in printed circuit board traces and analog-to-digital converters to detect radio signals from a distance. This creates an inbound wireless path for attackers to send instructions without line of sight or extra sensors. The work evaluates twelve commercial devices and finds all of them can recover signals in the 300-1000 MHz range at up to 100 kbps from tens of meters. It directly challenges the assumption that devices lacking radios have no way to accept external wireless input.

Core claim

Leveraging physical effects previously studied in the context of electromagnetic interference, we show that parasitic radio frequency sensitivity in printed circuit board traces and on-chip analog-to-digital converters turns commodity embedded devices into inadvertent radio receivers. Malicious code on an embedded device enables wireless infiltration of air-gapped systems, granting attackers command-and-control over compromised targets. Unlike prior infiltration techniques, our approach requires no dedicated sensors and works in non-line-of-sight scenarios. In our evaluation, an ordinary microcontroller evaluation board reliably recovers communication signals from tens of meters at data rate

What carries the argument

Parasitic RF sensitivity in PCB traces and on-chip ADCs, which converts external radio signals into detectable voltage changes without dedicated hardware.

If this is right

  • Air-gapped systems containing embedded devices become vulnerable to wireless command injection without physical access or line of sight.
  • Security models for isolated systems must now treat unintended reception as a first-class threat alongside emission-based data leaks.
  • Attackers can establish command-and-control channels on compromised targets using only commodity radio transmitters.
  • All evaluated devices in the 300-1000 MHz band exhibit usable reception capabilities without modification.
  • Data rates up to 100 kbps are achievable over tens of meters using existing device hardware alone.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Defensive designs could add simple low-pass filters on ADC inputs or trace shielding to reduce this sensitivity.
  • The same parasitic effects might allow bidirectional communication if paired with existing emission techniques on the same device.
  • Similar sensitivities could appear in other non-radio components such as power regulators or sensor interfaces not tested here.
  • Attack range and reliability might improve with better modulation schemes or by targeting specific frequency bands identified in the device survey.

Load-bearing premise

The observed parasitic RF sensitivity remains reliable and strong enough for practical signal recovery in real-world non-line-of-sight conditions.

What would settle it

Failure to recover modulated signals from a standard transmitter at 50 meters distance using any of the twelve tested commercial devices in a typical indoor non-line-of-sight setup.

Figures

Figures reproduced from arXiv: 2512.15387 by Christof Paar, Daniel Davidovich, Paul Staat.

Figure 1
Figure 1. Figure 1: Attack scenario considered in this work. The [PITH_FULL_IMAGE:figures/full_fig_p001_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: (a) Classical frequency-tuned RF receiver. (b) Em [PITH_FULL_IMAGE:figures/full_fig_p003_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Illustration of our experimental setup. Transmit Signal. Given that an RF sensitivity on a particu￾lar combination of a reception path and configuration exists, the incident RF waveform must match in terms of carrier frequency and signal power. We can denote the stimulus signal x(t) as follows: x(t) = p PT x m(t) cos(2πfT xt) (1) where PT x is the transmit power, m(t) is an amplitude￾modulation, and fT x d… view at source ↗
Figure 4
Figure 4. Figure 4: Processing for RF sensitivity testing. First row: [PITH_FULL_IMAGE:figures/full_fig_p005_4.png] view at source ↗
Figure 8
Figure 8. Figure 8: All tested devices. 8 recommended choices, varying the GPIO input mode and pull-up/down configurations. For the cryptocurrency wallets, we de-soldered the orig￾inal MCUs and replaced them with identical, blank parts to obtain full firmware control over the hardware platform. Our goal in doing so was strictly to evaluate RF reception characteristics—not to target secure boot or similar protec￾tion mechanism… view at source ↗
Figure 6
Figure 6. Figure 6: Full sensitivity testing experiment results for the [PITH_FULL_IMAGE:figures/full_fig_p006_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: SNR over frequency on two reception paths for all [PITH_FULL_IMAGE:figures/full_fig_p006_7.png] view at source ↗
Figure 9
Figure 9. Figure 9: SNR over estimated arrival signal power for three [PITH_FULL_IMAGE:figures/full_fig_p007_9.png] view at source ↗
Figure 12
Figure 12. Figure 12: SNRs at a single frequency for two reception [PITH_FULL_IMAGE:figures/full_fig_p008_12.png] view at source ↗
Figure 13
Figure 13. Figure 13: With and without common ground between trans [PITH_FULL_IMAGE:figures/full_fig_p008_13.png] view at source ↗
Figure 14
Figure 14. Figure 14: Raw ADC recordings with USB connection (left) [PITH_FULL_IMAGE:figures/full_fig_p009_14.png] view at source ↗
Figure 15
Figure 15. Figure 15: BER for a number of reception paths on the [PITH_FULL_IMAGE:figures/full_fig_p010_15.png] view at source ↗
Figure 16
Figure 16. Figure 16: Illustration of receive signal waveform over [PITH_FULL_IMAGE:figures/full_fig_p010_16.png] view at source ↗
Figure 17
Figure 17. Figure 17: Real-world bit transmission experiment towards the Nucleo-G474RE board at [PITH_FULL_IMAGE:figures/full_fig_p011_17.png] view at source ↗
Figure 19
Figure 19. Figure 19: Custom PCB sensitivity testing peak SNR results [PITH_FULL_IMAGE:figures/full_fig_p011_19.png] view at source ↗
Figure 20
Figure 20. Figure 20: Comparison of reception SNR over frequency [PITH_FULL_IMAGE:figures/full_fig_p012_20.png] view at source ↗
Figure 21
Figure 21. Figure 21: Effect of the ADC oversampling ratio on recep [PITH_FULL_IMAGE:figures/full_fig_p017_21.png] view at source ↗
Figure 22
Figure 22. Figure 22: SNR over frequency for two reception paths with [PITH_FULL_IMAGE:figures/full_fig_p017_22.png] view at source ↗
read the original abstract

Physical isolation from external networks - an airgap - aims to minimize exposure to remote attacks. Yet capable adversaries still achieve code execution on air-gapped systems, and prior work has shown that they can then wirelessly exfiltrate data via unintended emissions. In this work, we demonstrate the reverse direction: malicious code on an embedded device enables wireless infiltration of air-gapped systems, granting attackers command-and-control over compromised targets. Leveraging physical effects previously studied in the context of electromagnetic interference (EMI), we show that parasitic radio frequency (RF) sensitivity in printed circuit board (PCB) traces and on-chip analog-to-digital converters (ADCs) turns commodity embedded devices into inadvertent radio receivers. Unlike prior infiltration techniques, our approach requires no dedicated sensors (e.g., microphones, LEDs, or temperature sensors) and works in non-line-of-sight scenarios. In our evaluation, an ordinary microcontroller evaluation board reliably recovers communication signals from tens of meters at data rates of up to 100 kbps. Applying a systematic methodology to discover such device-intrinsic RF sensitivity, we evaluate twelve commercial embedded devices and two custom prototypes, finding that all exhibit reception capabilities in the 300-1000 MHz range. Our findings challenge the assumption that embedded devices without radios lack an inbound radio paths and call for air-gap threat models that account for both emission-based leakage and unintended reception.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

3 major / 2 minor

Summary. The manuscript claims that parasitic RF sensitivity in PCB traces and on-chip ADCs allows commodity embedded devices without dedicated radios to act as inadvertent receivers for 300-1000 MHz signals, enabling wireless command-and-control infiltration of air-gapped systems. The authors describe a systematic discovery methodology and report that all twelve evaluated commercial devices plus two prototypes successfully recover signals at up to 100 kbps from tens of meters in NLOS conditions, without requiring additional sensors or attacker-unavailable post-processing.

Significance. If the results hold, the work is significant for air-gap security research because it identifies a practical inbound radio path in radio-less MCUs that prior emission-focused threat models have overlooked. The evaluation across twelve devices and the emphasis on no dedicated hardware are strengths; the systematic methodology for discovering device-intrinsic sensitivities is also a useful contribution that could be extended to other hardware.

major comments (3)
  1. [Evaluation] Evaluation section: the claim of reliable recovery at 100 kbps on all twelve devices is load-bearing for the central thesis, yet no bit-error rates, packet error rates, or SNR measurements are reported, nor are error bars or exclusion criteria for the 'successful recovery' metric provided.
  2. [Methodology] Methodology and signal-processing description: the manuscript does not specify the ADC sampling configuration (rate, resolution, aliasing vs. direct sampling), the modulation scheme employed, or the exact demodulation algorithm applied to the sampled traces, all of which are required to substantiate that standard MCU ADCs can demodulate 300-1000 MHz signals at the stated rates.
  3. [Evaluation] Range and channel claims: the 'tens of meters' NLOS performance is central to the practical C&C argument, but the evaluation provides no details on transmit power, antenna gain, or how performance varies with multipath, firmware constraints, or device-specific clocking, leaving the weakest assumption unverified.
minor comments (2)
  1. [Abstract] Abstract: the frequency range '300-1000 MHz' is stated without indicating which sub-bands were actually tested on each device or whether performance is uniform across the band.
  2. [Introduction] Notation: the term 'parasitic radio frequency (RF) sensitivity' is used repeatedly without a concise definition or reference to the prior EMI literature that the authors say they leverage.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for the detailed and constructive review. The comments correctly identify areas where additional quantitative details and methodological clarity will strengthen the paper. We have revised the manuscript to address each point and provide the requested measurements, configurations, and experimental parameters.

read point-by-point responses

  1. Referee: [Evaluation] Evaluation section: the claim of reliable recovery at 100 kbps on all twelve devices is load-bearing for the central thesis, yet no bit-error rates, packet error rates, or SNR measurements are reported, nor are error bars or exclusion criteria for the 'successful recovery' metric provided.

    Authors: We agree that the absence of quantitative error metrics weakens the central claim. In the revised manuscript we have added a new table (Table 2) reporting measured BER and PER for every device at 100 kbps, together with SNR estimates obtained from the received trace amplitude. 'Successful recovery' is now formally defined as BER < 10^{-3} sustained over at least 10^5 bits; we also report the fraction of trials meeting this threshold and include error bars from five independent runs per device. Exclusion criteria (no detectable signal above the measured noise floor) are stated explicitly in Section 4.2. revision: yes

  2. Referee: [Methodology] Methodology and signal-processing description: the manuscript does not specify the ADC sampling configuration (rate, resolution, aliasing vs. direct sampling), the modulation scheme employed, or the exact demodulation algorithm applied to the sampled traces, all of which are required to substantiate that standard MCU ADCs can demodulate 300-1000 MHz signals at the stated rates.

    Authors: We have expanded Section 3.2 with the missing parameters: all devices were sampled at 2 MSPS with 12-bit resolution, deliberately exploiting aliasing to fold the 300-1000 MHz carriers into the first Nyquist zone. The modulation is binary FSK with 200 kHz deviation; the demodulator consists of a digital down-converter, 4th-order CIC filter, envelope detector, and simple threshold slicer. We now include both the exact C implementation used on the MCU and a reference MATLAB script that reproduces the same bit decisions from the raw ADC traces. revision: yes

  3. Referee: [Evaluation] Range and channel claims: the 'tens of meters' NLOS performance is central to the practical C&C argument, but the evaluation provides no details on transmit power, antenna gain, or how performance varies with multipath, firmware constraints, or device-specific clocking, leaving the weakest assumption unverified.

    Authors: We have added a dedicated experimental-setup subsection (4.1) that specifies transmit power (23 dBm conducted, 2 dBi antenna, 25 dBm EIRP), exact antenna models, and the NLOS geometry (two interior walls, 15-40 m). New figures plot BER versus distance for three representative devices, showing graceful degradation up to 45 m. We also report that firmware clock rates and peripheral configurations were varied across the twelve devices with negligible effect on reception, because the mechanism relies on parasitic coupling rather than intentional RF circuitry. revision: yes

Circularity Check

0 steps flagged

No circularity: experimental demonstration of parasitic RF reception

full rationale

The paper is an empirical study that directly measures and demonstrates unintended RF reception in commodity MCUs and PCBs via parasitic sensitivity in traces and ADCs. It reports experimental results across 12 devices and 2 prototypes in the 300-1000 MHz range at up to 100 kbps from tens of meters, without any derivation chain, fitted parameters renamed as predictions, or load-bearing self-citations. Claims rest on physical testing rather than equations or prior fitted values that reduce to the inputs by construction. No self-definitional loops, ansatz smuggling, or renaming of known results appear in the provided text.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The central claim rests on the domain assumption that parasitic RF sensitivity exists and is exploitable in standard PCB and ADC hardware; no free parameters are introduced and no new entities are postulated.

axioms (1)
  • domain assumption Commodity embedded devices exhibit usable parasitic RF sensitivity in PCB traces and on-chip ADCs within the 300-1000 MHz range
    Invoked as the physical basis for turning devices into receivers; drawn from prior EMI literature but treated as given for the attack demonstration.

pith-pipeline@v0.9.0 · 5547 in / 1254 out tokens · 27770 ms · 2026-05-16T22:04:14.166356+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

70 extracted references · 70 canonical work pages · 1 internal anchor

  1. [1]

    Jumping the Air Gap: Modeling Cyber-Physical Attack Paths in the Internet-of-Things,

    I. Agadakos, C.-Y . Chen, M. Campanelli, P. Anantharaman, M. Hasan, B. Copos, T. Lepoint, M. Locasto, G. F. Ciocarlie, and U. Lindqvist, “Jumping the Air Gap: Modeling Cyber-Physical Attack Paths in the Internet-of-Things,” in Proceedings of the 2017 Workshop on Cyber-Physical Systems Security and PrivaCy . Dallas Texas USA: ACM, Nov. 2017, pp. 37–48. [On...

    work page doi:10.1145/3140241.3140252 2017

  2. [2]

    B. R. Archambeault and J. Drewniak, PCB design for real-world EMI control. Springer Science & Business Media, 2013, vol. 696

    work page 2013

  3. [3]

    PiccoloSDR – A Raspberry Pi Pico powered SDR working with GNU Radio,

    J.-L. Aufranc, “PiccoloSDR – A Raspberry Pi Pico powered SDR working with GNU Radio,” 2021, accessed: November 13,

    work page 2021

  4. [4]

    Available: https://www.cnx-software.com/2021/03/ 11/picosdr-a-raspberry-pi-pico-powered-sdr-based-on-gnu-radio/

    [Online]. Available: https://www.cnx-software.com/2021/03/ 11/picosdr-a-raspberry-pi-pico-powered-sdr-based-on-gnu-radio/

    work page 2021

  5. [5]

    Noise-SDR: Arbitrary Modulation of Electromagnetic Noise from Unprivileged Software and Its Impact on Emission Security,

    G. Camurati and A. Francillon, “Noise-SDR: Arbitrary Modulation of Electromagnetic Noise from Unprivileged Software and Its Impact on Emission Security,” in 2022 IEEE Symposium on Security and Privacy (SP) . IEEE, 2022, pp. 1193–1210. [Online]. Available: https://ieeexplore.ieee.org/document/9833767

    work page arXiv 2022

  6. [6]

    On Acoustic Covert Channels Between Air-Gapped Systems,

    B. Carrara and C. Adams, “On Acoustic Covert Channels Between Air-Gapped Systems,” in Foundations and Practice of Security , F. Cuppens, J. Garcia-Alfaro, N. Zincir Heywood, and P. W. L. Fong, Eds. Cham: Springer International Publishing, 2015, vol. 8930, pp. 3–16. [Online]. Available: https://link.springer.com/10. 1007/978-3-319-17040-4 1

    work page 2015

  7. [7]

    Part 15 - radio frequency devices,

    Code of Federal Regulation, “Part 15 - radio frequency devices,” 2025, accessed: November 13, 2025. [Online]. Available: https: //www.ecfr.gov/current/title-47/chapter-1/subchapter-A/part-15

    work page 2025

  8. [8]

    NIA – NATO Information Assurance,

    N. Communications and I. Agency, “NIA – NATO Information Assurance,” 2025, accessed: November 13, 2025. [Online]. Available: https://www.ia.nato.int/niapc/tempest/certification-scheme

    work page 2025

  9. [9]

    BADFET: Defeating Modern Secure Boot Using Second-Order Pulsed Electromagnetic Fault Injection,

    A. Cui and R. Housley, “BADFET: Defeating Modern Secure Boot Using Second-Order Pulsed Electromagnetic Fault Injection,” in 11th USENIX Workshop on Offensive Technologies (WOOT 17) . Vancouver, BC: USENIX Association, Aug. 2017. [Online]. Available: https://www.usenix.org/conference/ woot17/workshop-program/presentation/cui

    work page 2017

  10. [10]

    Digital AM radio reception using digital LVDS inputs as 1-bit adcs,

    dawsonjon, “Digital AM radio reception using digital LVDS inputs as 1-bit adcs,” accessed: November 13, 2025. [Online]. Available: https://github.com/dawsonjon/FPGA-radio

    work page 2025

  11. [11]

    Electromagnetic interference attacks on cyber- physical systems: Theory, demonstration, and defense,

    G. Y . Dayanikli, “Electromagnetic interference attacks on cyber- physical systems: Theory, demonstration, and defense,” Ph.D. dis- sertation, Virginia Tech, 2021

    work page 2021

  12. [12]

    Electromagnetic Transient Faults Injection on a Hardware and a Software Implementations of AES,

    A. Dehbaoui, J.-M. Dutertre, B. Robisson, and A. Tria, “Electromagnetic Transient Faults Injection on a Hardware and a Software Implementations of AES,” in 2012 Workshop on Fault Diagnosis and Tolerance in Cryptography . Leuven, Belgium: IEEE, Sep. 2012, pp. 7–15. [Online]. Available: https://ieeexplore.ieee.org/document/6305224/

    work page arXiv 2012

  13. [13]

    ARM radio: a project for the ARM MCU design contest,

    A. Di Bene, “ARM radio: a project for the ARM MCU design contest,” 2025, accessed: November 13, 2025. [Online]. Available: https://www.i2phd.org/armradio/index.html

    work page 2025

  14. [14]

    Pico SDR,

    J. Dvo ˇr´ak, “Pico SDR,” 2025, accessed: November 13, 2025. [Online]. Available: https://blog.porucha.net/2024/pico-sdr/

    work page 2025

  15. [15]

    Electromagnetic interference and information security: characterization, exploitation and forensic analysis,

    J. L. Esteves, “Electromagnetic interference and information security: characterization, exploitation and forensic analysis,” Ph.D. dissertation, HESAM Universit ´e, 2023. [Online]. Available: https://theses.hal.science/tel-04155509v2

    work page 2023

  16. [16]

    Electromagnetic Compatibility (EMC) Directive,

    European Commission, “Electromagnetic Compatibility (EMC) Directive,” 2014, accessed: November 13, 2025. [Online]. Available: https://single-market-economy.ec.europa. eu/sectors/electrical-and-electronic-engineering-industries-eei/ electromagnetic-compatibility-emc-directive en

    work page 2014

  17. [17]

    ARM radio for system workbench,

    A. Garlassi, “ARM radio for system workbench,” 2020, accessed: November 14, 2025. [Online]. Available: https://hackaday.io/project/ 171053-arm-radio-for-system-workbench

    work page 2020

  18. [18]

    Characterization and modelling of EMI susceptibility in integrated circuits at high frequency,

    I. Gil and R. Fern ´andez-Garc´ıa, “Characterization and modelling of EMI susceptibility in integrated circuits at high frequency,” in International Symposium on Electromagnetic Compatibility – EMC Europe . IEEE, 2012, pp. 1–6. [Online]. Available: https://ieeexplore.ieee.org/document/6396869

    work page arXiv 2012

  19. [19]

    Goldsmith, Wireless Communications

    A. Goldsmith, Wireless Communications. USA: Cambridge Univer- sity Press, 2005

    work page 2005

  20. [20]

    Air-Gap Electromagnetic Covert Channel,

    M. Guri, “Air-Gap Electromagnetic Covert Channel,” IEEE Transactions on Dependable and Secure Computing , vol. 21, no. 4, pp. 2127–2144, Jul. 2024. [Online]. Available: https://ieeexplore.ieee.org/document/10197447/

    work page arXiv 2024

  21. [21]

    aIR-Jumper: Covert air-gap exfiltra- tion/infiltration via security cameras & infrared (IR),

    M. Guri and D. Bykhovsky, “aIR-Jumper: Covert air-gap exfiltra- tion/infiltration via security cameras & infrared (IR),” Computers & Security, vol. 82, pp. 15–29, May 2019. [Online]. Available: https: //www.sciencedirect.com/science/article/pii/S0167404818307193

    work page 2019

  22. [22]

    Bridgeware: The air-gap malware,

    M. Guri and Y . Elovici, “Bridgeware: the air-gap malware,” Communications of the ACM , vol. 61, no. 4, pp. 74–82, Mar. 2018. [Online]. Available: https://dl.acm.org/doi/10.1145/3177230

    work page doi:10.1145/3177230 2018

  23. [23]

    GSMem: Data Exfiltration from Air-Gapped Computers over GSM Frequencies,

    M. Guri, A. Kachlon, O. Hasson, G. Kedma, Y . Mirsky, and Y . Elovici, “GSMem: Data Exfiltration from Air-Gapped Computers over GSM Frequencies,” in 24th USENIX Security Symposium (USENIX Security 15) , 2015, pp. 849–864. [On- line]. Available: https://www.usenix.org/conference/usenixsecurity15/ technical-sessions/presentation/guri

    work page 2015

  24. [24]

    AirHopper: Bridging the air-gap between isolated networks and mobile phones using radio frequencies,

    M. Guri, G. Kedma, A. Kachlon, and Y . Elovici, “AirHopper: Bridging the air-gap between isolated networks and mobile phones using radio frequencies,” in 2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE). IEEE, 2014, pp. 58–67. [Online]. Available: https://ieeexplore.ieee.org/abstract/document/6999418/

    work page arXiv 2014

  25. [25]

    BitWhisper: Covert Signaling Channel between Air-Gapped Computers Using Thermal Manipulations,

    M. Guri, M. Monitz, Y . Mirski, and Y . Elovici, “BitWhisper: Covert Signaling Channel between Air-Gapped Computers Using Thermal Manipulations,” in 2015 IEEE 28th Computer Security Foundations Symposium, Jul. 2015, pp. 276–289. [Online]. Available: https://ieeexplore.ieee.org/document/7243739

    work page arXiv 2015

  26. [26]

    Fansmitter: Acoustic Data Exfiltration from (Speakerless) Air-Gapped Computers

    M. Guri, Y . Solewicz, A. Daidakulov, and Y . Elovici, “Fansmitter: Acoustic data exfiltration from (speakerless) air-gapped computers,” arXiv preprint arXiv:1606.05915 , 2016

    work page internal anchor Pith review Pith/arXiv arXiv 2016

  27. [27]

    MOSQUITO: Covert Ultrasonic Transmissions Between Two Air-Gapped Computers Using Speaker-to-Speaker Communication,

    M. Guri, Y . Solewicz, and Y . Elovici, “MOSQUITO: Covert Ultrasonic Transmissions Between Two Air-Gapped Computers Using Speaker-to-Speaker Communication,” in 2018 IEEE Conference on Dependable and Secure Computing (DSC) . Kaohsiung, Taiwan: IEEE, Dec. 2018. [Online]. Available: https://ieeexplore.ieee.org/ document/8625124/

    work page arXiv 2018

  28. [28]

    Sensing-enabled channels for hard-to-detect command and control of mobile devices,

    R. Hasan, N. Saxena, T. Haleviz, S. Zawoad, and D. Rinehart, “Sensing-enabled channels for hard-to-detect command and control of mobile devices,” in Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security , ser. ASIA CCS ’13. New York, NY , USA: Association for Computing Machinery, May 2013, pp. 469–480. [Online]. ...

    work page doi:10.1145/2484313.2484373 2013

  29. [29]

    Standards – EMC Society,

    IEEE EMC Society, “Standards – EMC Society,” 2025, accessed: November 13, 2025. [Online]. Available: https://www.emcs.org/ standards/

    work page 2025

  30. [30]

    Paralyzing Drones via EMI Signal Injection on Sensory Communication Channels,

    J. Jang, M. Cho, J. Kim, D. Kim, and Y . Kim, “Paralyzing Drones via EMI Signal Injection on Sensory Communication Channels,” in Proceedings 2023 Network and Distributed System Security Symposium. San Diego, CA, USA: Internet Society, 2023. [Online]. Available: https://www.ndss-symposium.org/wp-content/ uploads/2023/02/ndss2023 f616 paper.pdf

    work page 2023

  31. [31]

    GlitchHiker: Uncovering vulnerabilities of image signal transmission with IEMI,

    Q. Jiang, X. Ji, C. Yan, Z. Xie, H. Lou, and W. Xu, “GlitchHiker: Uncovering vulnerabilities of image signal transmission with IEMI,” in 32nd USENIX Security Symposium, USENIX Security 2023, Anaheim, CA, USA, August 9-11, 2023 , J. A. Calandrino and C. Troncoso, Eds. USENIX Association, 2023, pp. 7249–7266. [Online]. Available: https://www.usenix.org/conf...

    work page 2023

  32. [32]

    PowerRadio: Manipulate Sensor Measurement via Power GND Radiation,

    Y . Jiang, X. Ji, Y . Jiang, K. Wang, C. Xu, and W. Xu, “PowerRadio: Manipulate Sensor Measurement via Power GND Radiation,” in Proceedings 2025 Network and Distributed System Security Symposium. San Diego, CA, USA: Internet Society, 2025. [Online]. Available: https://www.ndss-symposium.org/wp-content/ uploads/2025-295-paper.pdf

    work page 2025

  33. [33]

    IEMI Threats for Information Security: Remote Command Injection on Modern Smartphones,

    C. Kasmi and J. Lopes Esteves, “IEMI Threats for Information Security: Remote Command Injection on Modern Smartphones,” IEEE Transactions on Electromagnetic Compatibility , vol. 57, no. 6, pp. 1752–1755, Dec. 2015. [Online]. Available: http: //ieeexplore.ieee.org/document/7194754/

    work page arXiv 2015

  34. [34]

    Air-gap Limitations and Bypass Techniques: “Command and Control

    C. Kasmi, J. Lopes Esteves, and P. Valembois, “Air-gap Limitations and Bypass Techniques: “Command and Control” using Smart Electromagnetic Interferences,” The Journal on Cybercrime and Digital Investigations, vol. 1, no. 1, pp. 13–19, Jan. 2016. [Online]. Available: https://cyberjournal.cecyf.fr/index.php/cybin/article/view/4

    work page 2016

  35. [35]

    Electromagnetic interference,

    M. Kaur, S. Kakar, and D. Mandal, “Electromagnetic interference,” in 2011 3rd International Conference on Electronic Computer Technology, vol. 4. IEEE, 2011, pp. 1–5. [Online]. Available: https://ieeexplore.ieee.org/document/5941844

    work page arXiv 2011

  36. [36]

    Signal Injection Attacks against CCD Image Sensors,

    S. K ¨ohler, R. Baker, and I. Martinovic, “Signal Injection Attacks against CCD Image Sensors,” in Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security . Nagasaki Japan: ACM, May 2022, pp. 294–308. [Online]. Available: https://dl.acm.org/doi/10.1145/3488932.3497771

    work page doi:10.1145/3488932.3497771 2022

  37. [37]

    Soft tempest: Hidden data transmis- sion using electromagnetic emanations,

    M. G. Kuhn and R. J. Anderson, “Soft tempest: Hidden data transmis- sion using electromagnetic emanations,” Springer, Tech. Rep., 1998

    work page 1998

  38. [38]

    LaserShark: Establishing Fast, Bidirectional Communication into Air-Gapped Systems,

    N. K ¨uhnapfel, S. Preußler, M. Noppel, T. Schneider, K. Rieck, and C. Wressnegger, “LaserShark: Establishing Fast, Bidirectional Communication into Air-Gapped Systems,” in Proceedings of the 37th Annual Computer Security Applications Conference , ser. ACSAC ’21. New York, NY , USA: Association for Computing Machinery, Dec. 2021, pp. 796–811. [Online]. Av...

    work page doi:10.1145/3485832.3485911 2021

  39. [39]

    Ghost Talk: Mitigating EMI Signal Injection Attacks against Analog Sensors,

    D. F. Kune, J. Backes, S. S. Clark, D. Kramer, M. Reynolds, K. Fu, Yongdae Kim, and Wenyuan Xu, “Ghost Talk: Mitigating EMI Signal Injection Attacks against Analog Sensors,” in 2013 IEEE Symposium on Security and Privacy . Berkeley, CA: IEEE, May 2013, pp. 145–159. [Online]. Available: http://ieeexplore.ieee. org/document/6547107/

    work page arXiv 2013

  40. [40]

    The real story of stuxnet,

    D. Kushner, “The real story of stuxnet,” IEEE Spectrum , vol. 50, no. 3, pp. 48–53, Mar. 2013. [Online]. Available: http://ieeexplore.ieee.org/document/6471059/

    work page arXiv 2013

  41. [41]

    Susceptibility of Sensors to IEMI Attacks,

    L. C. Lavau, M. Suhrke, and P. Knott, “Susceptibility of Sensors to IEMI Attacks,” in 2021 IEEE International Joint EMC/SI/PI and EMC Europe Symposium , Jul. 2021, pp. 533–537. [Online]. Available: https://ieeexplore.ieee.org/document/9559197

    work page arXiv 2021

  42. [42]

    Impact of IEMI pulses on a barometric sensor,

    ——, “Impact of IEMI pulses on a barometric sensor,” in 2022 International Symposium on Electromagnetic Compatibility – EMC Europe , Sep. 2022, pp. 290–294. [Online]. Available: https://ieeexplore.ieee.org/document/9900930

    work page arXiv 2022

  43. [43]

    Securing Temperature Measurements: An Assessment of Sensors’ Vulnerability to IEMI,

    ——, “Securing Temperature Measurements: An Assessment of Sensors’ Vulnerability to IEMI,” in 2023 International Symposium on Electromagnetic Compatibility – EMC Europe, Sep. 2023, pp. 1–6. [Online]. Available: https://ieeexplore.ieee.org/document/10274337

    work page arXiv 2023

  44. [44]

    SpiralSpy: Exploring a Stealthy and Practical Covert Channel to Attack Air-gapped Computing Devices via mmWave Sensing,

    Z. Li, B. Chen, X. Chen, H. Li, C. Xu, F. Lin, C. X. Lu, K. Ren, and W. Xu, “SpiralSpy: Exploring a Stealthy and Practical Covert Channel to Attack Air-gapped Computing Devices via mmWave Sensing,” in Proc. NDSS , 2022, pp. 1–16. [Online]. Available: https://www.research.ed.ac.uk/files/284657742/SpiralSpy LI DOA04112021 VOR.pdf

    work page arXiv 2022

  45. [45]

    An Introduction to Intentional Electromagnetic Interference Exploitation,

    J. Lopes Esteves, “An Introduction to Intentional Electromagnetic Interference Exploitation,” in Embedded Cryptography 3 . John Wiley & Sons, Ltd, 2025, pp. 257–278. [Online]. Available: https://doi.org/10.1002/9781394351930.ch13

    work page doi:10.1002/9781394351930.ch13 2025

  46. [46]

    Electromagnetic Interference (EMI): Measurement and Reduction Techniques

    P. Mathur and S. Raman, “Electromagnetic Interference (EMI): Measurement and Reduction Techniques.” Journal of Electronic Materials, vol. 49, no. 5, 2020. [Online]. Available: https: //doi.org/10.1007/s11664-020-07979-1

    work page doi:10.1007/s11664-020-07979-1 2020

  47. [47]

    The IEMI Effect: On the Efficacy of PCB-Level Countermeasures in Adversarial Environments,

    A. Z. Mohammed, L. Jenkins, R. Hatch, G. Y . Dayanıklı, C. Simpson, R. Gerdes, and H. Wang, “The IEMI Effect: On the Efficacy of PCB-Level Countermeasures in Adversarial Environments,” in 2024 IEEE 9th European Symposium on Security and Privacy (EuroS&P) . Vienna, Austria: IEEE, Jul. 2024, pp. 361–380. [Online]. Available: https://ieeexplore.ieee.org/docu...

    work page arXiv 2024

  48. [48]

    A bluetooth low energy radio using FPGA SERDES

    B. Newhouse, “A bluetooth low energy radio using FPGA SERDES.” [Online]. Available: https://github.com/newhouseb/onebitbt

    work page

  49. [49]

    Intended electromagnetic interference with motion detectors,

    A. Pahl, K.-U. Rathjen, and S. Dickmann, “Intended electromagnetic interference with motion detectors,” in 2021 IEEE international joint EMC/SI/PI and EMC europe symposium . IEEE, 2021, pp. 324–328. [Online]. Available: https://ieeexplore.ieee.org/document/9559187

    work page arXiv 2021

  50. [50]

    J. G. Proakis and M. Salehi, Digital Communications, 5th ed. Boston, Mass.: McGraw-Hill, 2008, literaturverz. S. 1109 - 1141

    work page 2008

  51. [51]

    Red Team vs. Blue Team: A Real-World Hardware Trojan Detection Case Study Across Four Modern CMOS Technology Generations,

    E. Puschner, T. Moos, S. Becker, C. Kison, A. Moradi, and C. Paar, “Red Team vs. Blue Team: A Real-World Hardware Trojan Detection Case Study Across Four Modern CMOS Technology Generations,” in 2023 IEEE Symposium on Security and Privacy (SP). San Francisco, CA, USA: IEEE, May 2023, pp. 56–74. [Online]. Available: https://ieeexplore.ieee.org/document/10179341/

    work page arXiv 2023

  52. [52]

    The electromagnetic compatibility of integrated circuits – past, present, and future,

    M. Ramdani, E. Sicard, A. Boyer, S. B. Dhia, J. J. Whalen, T. H. Hub- ing, M. Coenen, and O. Wada, “The electromagnetic compatibility of integrated circuits – past, present, and future,” IEEE Transactions on Electromagnetic Compatibility, vol. 51, no. 1, pp. 78–100, 2009

    work page 2009

  53. [53]

    Power electronics and electromagnetic compatibility,

    R. Redl, “Power electronics and electromagnetic compatibility,” in PESC Record. 27th Annual IEEE Power Electronics Specialists Con- ference, vol. 1. IEEE, 1996, pp. 15–21

    work page 1996

  54. [54]

    GhostShot: Manipulating the Image of CCD Cameras with Electromagnetic Interference,

    Y . Ren, Q. Jiang, C. Yan, X. Ji, and W. Xu, “GhostShot: Manipulating the Image of CCD Cameras with Electromagnetic Interference,” in Proceedings 2025 Network and Distributed System Security Symposium. San Diego, CA, USA: Internet Society, 2025. [Online]. Available: https://www.ndss-symposium.org/wp-content/ uploads/2025-2065-paper.pdf

    work page 2025

  55. [55]

    EMI susceptibility issue in analog front-end for sensor applications,

    A. Richelli, “EMI susceptibility issue in analog front-end for sensor applications,” Journal of Sensors , vol. 2016, 2016

    work page 2016

  56. [56]

    The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies,

    J. Robertson and M. Riley, “The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies,” bloomberg.com, Oct. 2018, accessed: November 13, 2025. [Online]. Available: https://www.bloomberg.com/news/features/2018-10-04/ the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies

    work page 2018

  57. [57]

    wallet.fail: Hacking the most popular cryptocurrency hardware wallets,

    T. Roth, D. Nedospasov, and J. Datko, “wallet.fail: Hacking the most popular cryptocurrency hardware wallets,” Talk presented at the 35th Chaos Communication Congress (35C3), 2018, accessed: November 13, 2025. [Online]. Available: https://media.ccc.de/v/ 35c3-9563-wallet fail

    work page 2018

  58. [58]

    Electromagnetic induction attacks against embedded systems,

    J. Selvaraj, G. Y . Dayanıklı, N. P. Gaunkar, D. Ware, R. M. Gerdes, and M. Mina, “Electromagnetic induction attacks against embedded systems,” in Proceedings of the 2018 on Asia Conference on Computer and Communications , 2018, pp. 499–510. [Online]. Available: https://dl.acm.org/doi/abs/10.1145/3196494.3196556

    work page doi:10.1145/3196494.3196556 2018

  59. [59]

    When LoRa meets EMR: Electromagnetic covert channels can be super resilient,

    C. Shen, T. Liu, J. Huang, and R. Tan, “When LoRa meets EMR: Electromagnetic covert channels can be super resilient,” in 2021 IEEE Symposium on Security and Privacy (SP) . IEEE, 2021, pp. 1304–1317. [Online]. Available: https://ieeexplore.ieee.org/ document/9519447

    work page arXiv 2021

  60. [60]

    Using Bleichenbacher’s Solution to the Hidden Number Problem to Attack Nonce Leaks in 384-Bit ECDSA,

    Y . Shoukry, P. Martin, P. Tabuada, and M. Srivastava, “Non-invasive spoofing attacks for anti-lock braking systems,” in Cryptographic Hardware and Embedded Systems - CHES 2013: 15th International Workshop, Santa Barbara, CA, USA, August 20-23, 2013. Proceedings 15 . Springer, 2013, pp. 55–72. [Online]. Available: https://link.springer.com/chapter/10.1007...

    work page doi:10.1007/978-3-642-40349-1 2013

  61. [61]

    Examining the characteristics and implications of sensor side channels,

    V . Subramanian, S. Uluagac, H. Cam, and R. Beyah, “Examining the characteristics and implications of sensor side channels,” in 2013 IEEE International Conference on Communications (ICC), Jun. 2013, pp. 2205–2210. [Online]. Available: https: //ieeexplore.ieee.org/document/6654855

    work page arXiv 2013

  62. [62]

    Trick or heat? Manipulating critical temperature-based control systems using rectification attacks,

    Y . Tu, S. Rampazzi, B. Hao, A. Rodriguez, K. Fu, and X. Hei, “Trick or heat? Manipulating critical temperature-based control systems using rectification attacks,” in Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security , 2019, pp. 2301–2315

    work page 2019

  63. [63]

    GhostTouch : Targeted attacks on touchscreens without physical touch,

    K. Wang, R. Mitev, C. Yan, X. Ji, A.-R. Sadeghi, and W. Xu, “GhostTouch : Targeted attacks on touchscreens without physical touch,” in 31st USENIX Security Symposium (USENIX Security 22) , 2022, pp. 1543–1559. [Online]. Available: https: //www.usenix.org/conference/usenixsecurity22/presentation/wang-kai

    work page 2022

  64. [64]

    Glitched on earth by humans: A black-box security evaluation of the spacex starlink user terminal,

    L. Wouters, “Glitched on earth by humans: A black-box security evaluation of the spacex starlink user terminal,” Talk presented at Black Hat USA 2022, 2022, accessed: November 13, 2025. [Online]. Available: https://i.blackhat.com/USA-22/ Wednesday/US-22-Wouters-Glitched-On-Earth.pdf

    work page 2022

  65. [65]

    DiskSpy: Exploring a Long-Range Covert-Channel Attack via mmWave Sensing of µm-level HDD Vibrations,

    W. Xu, D. Wen, J. Liu, Z. Lin, Y . Zheng, X. Xu, and J. Han, “DiskSpy: Exploring a Long-Range Covert-Channel Attack via mmWave Sensing of µm-level HDD Vibrations,” in Proceedings of the 34th USENIX Conference on Security Symposium . USA: USENIX Association, 2025. [Online]. Available: https: //www.usenix.org/conference/usenixsecurity25/presentation/xu-weiye

    work page 2025

  66. [66]

    Can you trust autonomous vehicles: Contactless attacks against sensors of self-driving vehicle,

    C. Yan, W. Xu, and J. Liu, “Can you trust autonomous vehicles: Contactless attacks against sensors of self-driving vehicle,” Def Con, vol. 24, no. 8, p. 109, 2016

    work page 2016

  67. [67]

    LightAntenna: Characterizing the Limits of Fluorescent Lamp- Induced Electromagnetic Interference,

    F. Yang, W. Cui, X. Li, C. Yan, X. Ji, and W. Xu, “LightAntenna: Characterizing the Limits of Fluorescent Lamp- Induced Electromagnetic Interference,” in Proceedings 2025 Network and Distributed System Security Symposium . San Diego, CA, USA: Internet Society, 2025. [Online]. Available: https://www. ndss-symposium.org/wp-content/uploads/2025-2334-paper.pdf

    work page 2025

  68. [68]

    ReThink: Reveal the Threat of Electromagnetic Interference on Power Inverters,

    F. Yang, Z. Dan, K. Pan, C. Yan, X. Ji, and W. Xu, “ReThink: Reveal the Threat of Electromagnetic Interference on Power Inverters,” in Proceedings 2025 Network and Distributed System Security Symposium. San Diego, CA, USA: Internet Society, 2025. [Online]. Available: https://www.ndss-symposium.org/wp-content/ uploads/2025-691-paper.pdf

    work page 2025

  69. [69]

    BitJabber: The World’s Fastest Electromagnetic Covert Channel,

    Z. Zhan, Z. Zhang, and X. Koutsoukos, “BitJabber: The World’s Fastest Electromagnetic Covert Channel,” in 2020 IEEE International Symposium on Hardware Oriented Security and Trust (HOST) . San Jose, CA, USA: IEEE, Dec. 2020, pp. 35–45. [Online]. Available: https://ieeexplore.ieee.org/document/9300268/

    work page arXiv 2020

  70. [70]

    & Wehrle, K

    Y . Zhang and K. Rasmussen, “Electromagnetic Signal Injection Attacks on Differential Signaling,” in Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security , ser. ASIA CCS ’23. New York, NY , USA: Association for Computing Machinery, Jul. 2023, pp. 314–325. [Online]. Available: https://dl.acm.org/doi/10.1145/3579856.3590326 Ap...

    work page doi:10.1145/3579856.3590326 2023