pith. sign in

arxiv: 2603.04801 · v2 · submitted 2026-03-05 · 💻 cs.CR · cs.ET

ShieldBypass: On the Persistence of Impedance Leakage Beyond EM Shielding

Md Sadik Awal , Md Tauhidur Rahman This is my paper

Pith reviewed 2026-05-15 17:09 UTC · model grok-4.3

classification 💻 cs.CR cs.ET
keywords electromagnetic shieldingside-channel attacksimpedance leakageRF backscatteringactive probinghardware securityFPGAmicrocontroller
0
0 comments X

The pith

Electromagnetic shielding suppresses passive EM leaks but leaves active RF backscattering intact to reveal processor states.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper tests whether electromagnetic shielding, which reduces radiated emissions from devices, also blocks active attacks that inject external RF signals and measure the modulated reflections caused by the device's changing impedance. Experiments on FPGA and microcontroller hardware running different workloads under three standard shields show that passive EM measurements become unable to distinguish the workloads once shielding is applied, yet the backscattered signals continue to separate clearly at frequencies outside the shields' main attenuation range. A sympathetic reader would conclude that impedance variations tied to execution state can still leak information through active probing, so hardware security checks must expand beyond passive emission tests to include this form of interaction.

Core claim

By injecting controlled RF signals and analyzing the reflections, state-dependent impedance variations remain observable at frequencies outside the shields' primary attenuation band. Using processors implemented on FPGA and microcontroller prototypes, and evaluating workload profiles under three industry-standard shields, passive EM measurements lose discriminative power under shielding, while backscattering responses remain separable.

What carries the argument

Impedance-modulated backscattering, the mechanism by which injected RF signals are reflected differently according to the processor's instantaneous impedance state.

If this is right

  • Active RF probing can expose execution-dependent behavior even in shielded systems.
  • Passive EM side-channel attacks are mitigated by shielding, but backscattering attacks are not.
  • Hardware security evaluation flows must include active impedance-based probing tests.
  • Shielding alone is insufficient to eliminate all EM-related information leakage.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Secure hardware designs may require additional techniques such as impedance stabilization layers.
  • The same active probing principle could be tested on ASICs or other integrated circuits beyond the FPGA and microcontroller cases.
  • Countermeasures focused on damping reflections at non-attenuated frequencies could be developed and evaluated.

Load-bearing premise

The measured differences in backscattering arise specifically from the processor's state-dependent impedance changes and not from setup artifacts, shield variations, or external conditions.

What would settle it

Re-running the exact workload trials with the same shields but altered probe placement or cable lengths that eliminate any separable backscattering patterns would falsify the claim.

Figures

Figures reproduced from arXiv: 2603.04801 by Md Sadik Awal, Md Tauhidur Rahman.

Figure 1
Figure 1. Figure 1: shows the measurement setup used to study runtime leakage under both passive EM radiation and active RF backscattering. All experiments maintain the same spatial configuration and shielding conditions to ensure controlled, repeatable switching activity, enabling direct comparison between passive and active leakage. Both platforms exhibit the same qualitative behavior, confirming that the observed leakage a… view at source ↗
Figure 2
Figure 2. Figure 2: Comparison of PCA projections across three shield types. [PITH_FULL_IMAGE:figures/full_fig_p006_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: ICA of backscattered signals under different shielding materials. [PITH_FULL_IMAGE:figures/full_fig_p006_3.png] view at source ↗
read the original abstract

Electromagnetic (EM) shielding is widely used to suppress radiated emissions and limit passive EM side-channel leakage. However, shielding does not address active probing, where an adversary injects external radio-frequency (RF) signals and observes the device's reflective response. This work studies whether such impedance-modulated backscattering persists when radiated emissions are suppressed by shielding. By injecting controlled RF signals and analyzing the reflections, we demonstrate that state-dependent impedance variations remain observable at frequencies outside the shields' primary attenuation band. Using processors implemented on FPGA and microcontroller prototypes, and evaluating workload profiles under three industry-standard shields, we find that passive EM measurements lose discriminative power under shielding, while backscattering responses remain separable. These results indicate that active RF probing can expose execution-dependent behavior even in shielded systems, motivating the need to consider active impedance-based probing within hardware security evaluation flows.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper claims that EM shielding suppresses passive radiated emissions and side-channel leakage but does not eliminate active RF probing via impedance-modulated backscattering. Using FPGA and microcontroller prototypes under three industry-standard shields, the authors report that passive EM measurements lose discriminative power while backscattering responses remain separable for different workloads at frequencies outside the shields' primary attenuation bands, indicating that state-dependent impedance variations persist and can expose execution behavior.

Significance. If the attribution to processor impedance modulation holds, the result is significant for hardware security evaluation: it shows that conventional shielding is insufficient against active impedance-based attacks and motivates extending threat models to include RF backscattering probes. The work provides direct experimental evidence on real prototypes rather than simulations, which strengthens its practical relevance.

major comments (2)
  1. [Abstract and Evaluation] The central claim that backscattering separability is caused by processor state-dependent impedance modulation (rather than residual passive leakage, shield material variation, probe positioning drift, or environmental coupling) is load-bearing but rests on the weakest assumption identified in the review. The manuscript does not describe explicit controls such as fixed-state baselines, randomized shield swaps, or statistical tests for setup variance; without these, the isolation of the active mechanism remains vulnerable (see Abstract and Evaluation sections).
  2. [Abstract] Soundness is limited by the absence of statistical methods, error bars, specific frequencies, and controls for confounding factors. The reported separability in backscattering responses therefore cannot be rigorously assessed for significance or reproducibility (Abstract).
minor comments (2)
  1. Provide the exact workload profiles, shield part numbers, and frequency ranges used so that the separability claims can be reproduced.
  2. Clarify in the methodology whether the same probe positioning was maintained across shielded and unshielded trials or whether repositioning occurred.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback on our manuscript. We address the concerns regarding experimental controls and statistical presentation point by point below. Where the comments correctly identify gaps in the current version, we have incorporated revisions to strengthen the isolation of the impedance modulation mechanism and the rigor of the reported results.

read point-by-point responses

  1. Referee: [Abstract and Evaluation] The central claim that backscattering separability is caused by processor state-dependent impedance modulation (rather than residual passive leakage, shield material variation, probe positioning drift, or environmental coupling) is load-bearing but rests on the weakest assumption identified in the review. The manuscript does not describe explicit controls such as fixed-state baselines, randomized shield swaps, or statistical tests for setup variance; without these, the isolation of the active mechanism remains vulnerable (see Abstract and Evaluation sections).

    Authors: We agree that more explicit documentation of controls is required to isolate state-dependent impedance effects from potential confounds. In the revised manuscript, the Evaluation section now includes a dedicated controls subsection describing: (1) fixed-state baselines obtained by halting the processor in known idle and workload states while recording backscattering responses; (2) randomized shield swaps across the three industry-standard enclosures with positional offsets to mitigate material and placement variance; and (3) statistical tests (ANOVA followed by post-hoc t-tests with Bonferroni correction and reported p-values < 0.01) applied to separability metrics across repeated trials. These additions directly support attribution to processor impedance modulation rather than setup artifacts. revision: yes

  2. Referee: [Abstract] Soundness is limited by the absence of statistical methods, error bars, specific frequencies, and controls for confounding factors. The reported separability in backscattering responses therefore cannot be rigorously assessed for significance or reproducibility (Abstract).

    Authors: We accept that the abstract and results lacked sufficient statistical detail for independent assessment. The revised abstract now specifies the operating frequencies outside primary shield attenuation bands (2.4–2.5 GHz and 5.1–5.8 GHz) and references the use of statistical significance testing. In the body, all separability plots include error bars denoting standard deviation over 50 independent trials per workload-shield combination, and a new paragraph details controls for environmental coupling (Faraday cage enclosure) and probe drift (periodic calibration against a reference load). These changes enable rigorous evaluation of reproducibility. revision: yes

Circularity Check

0 steps flagged

No circularity: experimental results from direct measurements

full rationale

The paper reports empirical observations from FPGA and microcontroller prototypes under three industry shields, comparing passive EM leakage (which loses separability) against backscattering responses (which remain separable). No equations, fitted parameters, derivations, or self-citations are invoked to derive the central claim; the attribution rests on measured data rather than any reduction to inputs by construction. This is a standard non-circular experimental study.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

The central claim rests entirely on empirical RF reflection measurements without introducing new free parameters, axioms, or invented entities.

pith-pipeline@v0.9.0 · 5442 in / 1008 out tokens · 53825 ms · 2026-05-15T17:09:32.961350+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

43 extracted references · 43 canonical work pages

  1. [1]

    An overview of side channel analysis attacks,

    T.-H. Le, C. Canovas, and J. Clédiere, “An overview of side channel analysis attacks,” in Proceedings of the 2008 ACM symposium on Information, computer and communications security, 2008, pp. 33–43

    work page 2008

  2. [2]

    Electromagnetic side- channel analysis for iot forensics: Challenges, framework, and datasets,

    A. P. Sayakkara and N.-A. Le-Khac, “Electromagnetic side- channel analysis for iot forensics: Challenges, framework, and datasets,” Ieee Access, vol. 9, pp. 113 585–113 598, 2021

    work page 2021

  3. [3]

    The em side—channel (s),

    D. Agrawal, B. Archambeault, J. R. Rao, and P. Rohatgi, “The em side—channel (s),” in International workshop on cryptographic hardware and embedded systems. Springer, 2002, pp. 29–45

    work page 2002

  4. [4]

    E. J. Rothwell and M. J. Cloud, Electromagnetics. CRC press, 2018

    work page 2018

  5. [5]

    M. N. Sadiku and S. Nelatury, Elements of electromagnetics. Oxford university press New York, 2001, vol. 428

    work page 2001

  6. [6]

    Celozzi, R

    S. Celozzi, R. Araneo, P. Burghignoli, and G. Lovat, Electromagnetic shielding: theory and applications. John Wiley & Sons, 2022

    work page 2022

  7. [7]

    Digital electronics as rfid tags: Impedance estimation and propagation characterization at 26.5 ghz and 300 ghz,

    C.-L. Cheng, S. Sangodoyin, L. N. Nguyen, M. Prvulovic, and A. Zajić, “Digital electronics as rfid tags: Impedance estimation and propagation characterization at 26.5 ghz and 300 ghz,” IEEE Journal of Radio Frequency Identification, vol. 5, no. 1, pp. 29–39, 2020

    work page 2020

  8. [8]

    Creating a backscattering side channel to enable detection of dormant hardware trojans,

    L. N. Nguyen, C.-L. Cheng, M. Prvulovic, and A. Zajić, “Creating a backscattering side channel to enable detection of dormant hardware trojans,” IEEE transactions on very large scale integration (VLSI) systems, vol. 27, no. 7, pp. 1561–1574, 2019

    work page 2019

  9. [9]

    Detection of recycled ics using backscattering side-channel analysis,

    F. T. Werner, M. Prvulovic, and A. Zajić, “Detection of recycled ics using backscattering side-channel analysis,” IEEE Transactions on Very Large Scale Integration (VLSI) Systems, vol. 30, no. 9, pp. 1244–1255, 2022

    work page 2022

  10. [10]

    A comparison of backscattering, em, and power side-channels and their performance in detecting software and hardware intrusions,

    L. N. Nguyen, C.-L. Cheng, F. T. Werner, M. Prvulovic, and A. Zajic, “A comparison of backscattering, em, and power side-channels and their performance in detecting software and hardware intrusions,” Journal of Hardware and Systems Security, vol. 4, no. 2, pp. 150–165, 2020

    work page 2020

  11. [11]

    Thz bistatic backscatter side-channel sensing at a distance,

    S. Adibelli, P. Juyal, M. Prvulovic, and A. Zajic, “Thz bistatic backscatter side-channel sensing at a distance,” IEEE Transactions on Antennas and Propagation, vol. 70, no. 2, pp. 1440–1450, 2021

    work page 2021

  12. [12]

    Nicscatter: Backscatter as a covert channel in mobile devices,

    Z. Yang, Q. Huang, and Q. Zhang, “Nicscatter: Backscatter as a covert channel in mobile devices,” in Proceedings of the 23rd Annual International Conference on Mobile Computing and Networking, 2017, pp. 356–367

    work page 2017

  13. [13]

    Pdnpulse: Sensing pcb anomaly with the intrinsic power delivery network,

    H. Zhu, H. Shan, D. Sullivan, X. Guo, Y. Jin, and X. Zhang, “Pdnpulse: Sensing pcb anomaly with the intrinsic power delivery network,” IEEE Transactions on Information Forensics and Security, vol. 18, pp. 3590–3605, 2023

    work page 2023

  14. [14]

    A demonstration of a ht-detection method based on impedance measurements of the wiring around ics,

    D. Fujimoto, S. Nin, Y.-I. Hayashi, N. Miura, M. Nagata, and T. Matsumoto, “A demonstration of a ht-detection method based on impedance measurements of the wiring around ics,” IEEE Transactions on Circuits and Systems II: Express Briefs, vol. 65, no. 10, pp. 1320–1324, 2018

    work page 2018

  15. [15]

    Impedance leakage vulnerability and its utilization in reverse-engineering embedded software,

    M. S. Awal and M. T. Rahman, “Impedance leakage vulnerability and its utilization in reverse-engineering embedded software,” ACM Journal on Emerging Technologies in Computing Systems, vol. 21, no. 4, pp. 1–20, 2025

    work page 2025

  16. [16]

    Emi performance of multilayered al-cotazr films in shielded power inductors,

    G. S. G. Al-Duhni, M. Khasgiwala, J. L. Volakis, and P. M. Raj, “Emi performance of multilayered al-cotazr films in shielded power inductors,” in 2023 IEEE Electrical Design of Advanced Packaging and Systems (EDAPS). IEEE, 2023, pp. 1–3

    work page 2023

  17. [17]

    Cu–conife multilayered stack for low- and intermediate-frequency magnetic shielding,

    G. S. G. Al-Duhni, V. Jaiswal, M. Khasgiwala, J. L. Volakis, and M. R. Pulugurtha, “Cu–conife multilayered stack for low- and intermediate-frequency magnetic shielding,” Journal of Materials Research, vol. 39, no. 15, pp. 2188–2197, 2024. 8

    work page 2024

  18. [18]

    Reticular graphene reinforced copper for electromagnetic shielding application,

    A. Nisar, G. Al Duhni, C. Zhang, P. M. Raj, and A. Agarwal, “Reticular graphene reinforced copper for electromagnetic shielding application,” in 2023 Fourth International Symposium on 3D Power Electronics Integration and Manufacturing (3D- PEIM). IEEE, 2023, pp. 1–5

    work page 2023

  19. [19]

    Advanced far field em side-channel attack on aes,

    R. Wang, H. Wang, E. Dubrova, and M. Brisfors, “Advanced far field em side-channel attack on aes,” in Proceedings of the 7th ACM on Cyber-Physical System Security Workshop, 2021, pp. 29–39

    work page 2021

  20. [20]

    Drone-mag: Uav identification and authentication via electromagnetic emissions,

    O. Ibrahim and R. Di Pietro, “Drone-mag: Uav identification and authentication via electromagnetic emissions,” ACM Transactions on Cyber-Physical Systems, vol. 9, no. 3, pp. 1–25, 2025

    work page 2025

  21. [21]

    Em side channels in hardware security: Attacks and defenses

    J. He, X. Guo, M. M. Tehranipoor, A. Vassilev, and Y. Jin, “Em side channels in hardware security: Attacks and defenses. ” IEEE Des. Test, vol. 39, no. 2, pp. 100–111, 2022

    work page 2022

  22. [22]

    Experimental analysis of side- channel emissions for iot devices activities’ profiling,

    A. Amodei, D. Capriglione, L. Ferrigno, G. Miele, L. Tari, G. Tomasso, and G. Cerro, “Experimental analysis of side- channel emissions for iot devices activities’ profiling,” in 2023 IEEE International Workshop on Metrology for Industry 4.0 & IoT (MetroInd4. 0&IoT). IEEE, 2023, pp. 42–47

    work page 2023

  23. [23]

    Recovering fingerprints from in- display fingerprint sensors via electromagnetic side channel,

    T. Ni, X. Zhang, and Q. Zhao, “Recovering fingerprints from in- display fingerprint sensors via electromagnetic side channel,” in Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, 2023, pp. 253–267

    work page 2023

  24. [24]

    Classification of pcb configurations from radiated emi by using neural network,

    K. Aunchaleevarapan, K. Paithoonwatanakij, Y. Preampraneerach, W. Khan-Ngern, and S. Nitta, “Classification of pcb configurations from radiated emi by using neural network,” in Proceedings. Asia-Pacific Conference on Environmental Electromagnetics. CEEM’2000 (IEEE Cat. No. 00EX402). IEEE, 2000, pp. 105–110

    work page 2000

  25. [25]

    Detection and identification of vehicles based on their unintended electromagnetic emissions,

    X. Dong, H. Weng, D. G. Beetner, T. H. Hubing, D. C. Wunsch, M. Noll, H. Göksu, and B. Moss, “Detection and identification of vehicles based on their unintended electromagnetic emissions,” IEEE Transactions on Electromagnetic Compatibility, vol. 48, no. 4, pp. 752–759, 2006

    work page 2006

  26. [26]

    A support vector machine for identification of monitors based on their unintended electromagnetic emanation,

    F. Mo, Y.-H. Lu, J.-L. Zhang, Q. Cui, and S. Qiu, “A support vector machine for identification of monitors based on their unintended electromagnetic emanation,” Progress In Electromagnetics Research M, vol. 30, pp. 211–224, 2013

    work page 2013

  27. [27]

    Using near- field electromagnetic side channels for efficiently fingerprinting wireless modules,

    V. V. Iyer, J. D. Rezac, and J. C. Booth, “Using near- field electromagnetic side channels for efficiently fingerprinting wireless modules,” in 2024 IEEE Physical Assurance and Inspection of Electronics (PAINE). IEEE, 2024, pp. 1–6

    work page 2024

  28. [28]

    Eye of sauron: {Long-Range} hidden spy camera detection and positioning with inbuilt memory {EM} radiation,

    Q. Zhang, D. Liu, X. Zhang, Z. Cao, F. Zeng, H. Jiang, and W. Jin, “Eye of sauron: {Long-Range} hidden spy camera detection and positioning with inbuilt memory {EM} radiation,” in 33rd USENIX Security Symposium (USENIX Security 24), 2024, pp. 109–126

    work page 2024

  29. [29]

    Em side-channel attacks on commercial contactless smartcards using low-cost equipment,

    T. Kasper, D. Oswald, and C. Paar, “Em side-channel attacks on commercial contactless smartcards using low-cost equipment,” in International Workshop on Information Security Applications. Springer, 2009, pp. 79–93

    work page 2009

  30. [30]

    A multipole approach toward on- chip metal routing for reduced em side-channel leakage,

    M. Nath, D. Das, and S. Sen, “A multipole approach toward on- chip metal routing for reduced em side-channel leakage,” IEEE Microwave and Wireless Components Letters, vol. 31, no. 6, pp. 685–688, 2021

    work page 2021

  31. [31]

    Cell- phone classification: A convolutional neural network approach exploiting electromagnetic emanations,

    B. B. Yilmaz, E. M. Ugurlu, A. Zajić, and M. Prvulovic, “Cell- phone classification: A convolutional neural network approach exploiting electromagnetic emanations,” in ICASSP 2020-2020 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP). IEEE, 2020, pp. 2862–2866

    work page 2020

  32. [32]

    Em-x-dl: Efficient cross-device deep learning side- channel attack with noisy em signatures,

    J. Danial, D. Das, A. Golder, S. Ghosh, A. Raychowdhury, and S. Sen, “Em-x-dl: Efficient cross-device deep learning side- channel attack with noisy em signatures,” ACM Journal on Emerging Technologies in Computing Systems (JETC), vol. 18, no. 1, pp. 1–17, 2021

    work page 2021

  33. [33]

    Electromagnetic side channel attack against embedded encryption chips,

    W.-h. Zhou and F.-t. Kong, “Electromagnetic side channel attack against embedded encryption chips,” in 2019 IEEE 19th International Conference on Communication Technology (ICCT). IEEE, 2019, pp. 140–144

    work page 2019

  34. [34]

    Utilization of impedance disparity incurred from switching activities to monitor and characterize firmware activities,

    M. S. Awal, C. Thompson, and M. T. Rahman, “Utilization of impedance disparity incurred from switching activities to monitor and characterize firmware activities,” in 2022 IEEE Physical Assurance and Inspection of Electronics (PAINE). IEEE, 2022, pp. 1–7

    work page 2022

  35. [35]

    Disassembling software instruction types through impedance side-channel analysis,

    M. S. Awal and M. T. Rahman, “Disassembling software instruction types through impedance side-channel analysis,” in 2023 IEEE International Symposium on Hardware Oriented Security and Trust (HOST). IEEE, 2023, pp. 227–237

    work page 2023

  36. [36]

    Fundamental evaluation method for em information leakage caused by hardware trojans on signal cables–impact of modulation factor and emission intensity,

    T. Yukawa, S. Kaji, D. Fujimoto, and Y. Hayashi, “Fundamental evaluation method for em information leakage caused by hardware trojans on signal cables–impact of modulation factor and emission intensity,” IEICE Technical Report; IEICE Tech. Rep., vol. 121, no. 413, pp. 153–157, 2022

    work page 2022

  37. [37]

    Amplifying electromagnetic leakage by hardware trojans through cable geometry manipulation,

    H. Ide, S. Matsumoto, T. Kitazawa, S. Kaji, D. Fujimoto, T. Kasuga, and Y. Hayashi, “Amplifying electromagnetic leakage by hardware trojans through cable geometry manipulation,” in 2025 IEEE International Symposium on Hardware Oriented Security and Trust (HOST). IEEE, 2025, pp. 261–267

    work page 2025

  38. [38]

    Dexim: Exposing impedance-based data leakage in emerging memories,

    M. S. Awal and M. T. Rahman, “Dexim: Exposing impedance-based data leakage in emerging memories,” in Proceedings of the 58th IEEE/ACM International Symposium on Microarchitecture®, 2025, pp. 111–124

    work page 2025

  39. [39]

    Leakyohm: Secret bits extraction using impedance analysis,

    S. K. Monfared, T. Mosavirik, and S. Tajik, “Leakyohm: Secret bits extraction using impedance analysis,” in Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, 2023, pp. 1675–1689

    work page 2023

  40. [40]

    {DiskSpy}: Exploring a {Long-Range}{Covert- Channel} attack via {mmWave} sensing of {µm-level}{HDD} vibrations,

    W. Xu, D. Wen, J. Liu, Z. Lin, Y. Zheng, X. Xu, and J. Han, “ {DiskSpy}: Exploring a {Long-Range}{Covert- Channel} attack via {mmWave} sensing of {µm-level}{HDD} vibrations,” in 34th USENIX Security Symposium (USENIX Security 25), 2025, pp. 3903–3920

    work page 2025

  41. [41]

    W. H. Hayt and J. A. Buck, Engineering electromagnetics. McGraw-Hill Companies, 2012

    work page 2012

  42. [42]

    Tektronix RSA306B,

    “Tektronix RSA306B,” https://www.tek.com/ en/products/spectrum-analyzers/rsa306, 2025, [Accessed: 10 November 2025]

    work page 2025

  43. [43]

    Roberts and R

    S. Roberts and R. Everson, Independent component analysis: principles and practice. Cambridge University Press, 2001. 9

    work page 2001