Reflecthernet: Exfiltrating 100BASE-TX Ethernet Traffic Using a Retroreflector Hardware Trojan

Fran\c{c}ois Sarrazin; Matthieu Davy; Philippe Besnier; Pierre Granier

arxiv: 2605.02702 · v1 · submitted 2026-05-04 · 💻 cs.CR · physics.app-ph

Reflecthernet: Exfiltrating 100BASE-TX Ethernet Traffic Using a Retroreflector Hardware Trojan

Pierre Granier , Matthieu Davy , Philippe Besnier , Fran\c{c}ois Sarrazin This is my paper

Pith reviewed 2026-05-08 18:42 UTC · model grok-4.3

classification 💻 cs.CR physics.app-ph

keywords retroreflectorhardware trojanethernet exfiltrationMLT-3 signalingelectromagnetic eavesdroppingfast ethernetradio-frequency attackcovert monitoring

0 comments

The pith

A compact retroreflector implant recovers MLT-3 signals from 100BASE-TX Ethernet traffic over radio.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper shows that radio-frequency retroreflector attacks can reach high-speed network links that were previously considered resistant. The authors built a small passive implant that alters the electromagnetic reflectivity of an Ethernet cable according to the data flowing through it. They also developed a signal processing chain to clean up the reflected radio waves and extract usable information despite channel noise. If the method holds, it opens a new avenue for covert monitoring of wired network traffic without direct wire taps or active emissions from the implant.

Core claim

The central claim is that a compact implant can recover the MLT-3 encoded signaling used in the 100BASE-TX Ethernet standard by modulating the electromagnetic reflectivity of the target link. A dedicated demodulation and interpretation pipeline mitigates errors introduced by the radio channel and maximizes the amount of recovered information, validating the feasibility of covertly monitoring Fast Ethernet traffic using RF retroreflection.

What carries the argument

The retroreflector implant, a minimal hardware Trojan that modulates the target's electromagnetic reflectivity in response to the probed signal line data without emitting signals of its own.

If this is right

High-speed wired links such as Fast Ethernet become practical targets for passive radio-frequency retroreflector attacks.
Dedicated error-mitigating demodulation pipelines can extract usable data from reflected signals even when the radio channel introduces errors.
Minimal implants using only discrete components like transistors or diodes suffice to leak information from 100 Mbps links.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Physical security measures around network cables may need to account for small reflective objects that could be placed without altering cable appearance.
Similar implant designs could be tested against other high-speed standards whose encoding schemes differ from MLT-3.
Real-world deployments would likely require calibration of the radio illumination frequency and power to maintain recovery rates outside controlled lab conditions.

Load-bearing premise

The implant can be covertly placed on or near the target Ethernet link without detection while the radio channel still permits sufficient signal recovery at the high data rate.

What would settle it

Transmit a known pattern of 100BASE-TX traffic over a cable fitted with the implant, illuminate the implant with a radio signal, demodulate the reflections using the described pipeline, and verify whether the recovered bit stream matches the original transmitted data above a usable threshold.

Figures

Figures reproduced from arXiv: 2605.02702 by Fran\c{c}ois Sarrazin, Matthieu Davy, Philippe Besnier, Pierre Granier.

**Figure 1.** Figure 1: Schematic of an RFRA in which a transistor-based HT allows monitoring of secret data through a backscattered signal. The implant modulates view at source ↗

**Figure 2.** Figure 2: Summary of the 100BASE-TX encoding and decoding steps. view at source ↗

**Figure 3.** Figure 3: An example of the scrambler operation for a single bit. The scrambler view at source ↗

**Figure 4.** Figure 4: A retroreflector implant composed of two Schottky diodes (BAT63-02V) and two view at source ↗

**Figure 5.** Figure 5: Interrogation setup. (1) OPA WBLNA wide-band LNA, ∼ 17 dB gain on the transmitting path. (2) PE15A63012 Broadband LNA, ∼ 40 dB gain in the receiving path. (3) SHP-300+ Lumped LC High Pass Filter, 290 - 3000 MHz. (4) Illumination signal via a ZCU111 RFSoC evaluation board. (5) LPDAMAX RF Space antennas (4-7 dBi over 300-1000 MHz). antenna parts. According to the cable construction, two types of improvised d… view at source ↗

**Figure 6.** Figure 6: Power spectral density (PSD) of the raw and filtered samples. This view at source ↗

**Figure 7.** Figure 7: (a) Gaussian KDE shown as hue, with highlighted “hotspots” in high view at source ↗

**Figure 9.** Figure 9: (a) MLT-3 logic levels obtained from on-wire captures using an os view at source ↗

**Figure 8.** Figure 8: (a) Correlation of received backscattered data (IDLE link) with a view at source ↗

**Figure 10.** Figure 10: Schematic of the error-correction process, in which codes are mapped to their nearest most probable neighbor. Green arrows denote the additional view at source ↗

**Figure 11.** Figure 11: (a,c) Proportion of incorrect codes (red), including a subset of invalid codes (blue), as a function of the symbol error rate (SER) of the analyzed view at source ↗

**Figure 12.** Figure 12: Examples of a recovered Ethernet packet obtained from backscattered data after decoding and error correction. Layer structure and remaining view at source ↗

**Figure 13.** Figure 13: Reflecthernet attack setup. (Top) The target, consisting of a laptop view at source ↗

read the original abstract

Electromagnetic eavesdropping is a well-established attack vector for remotely monitoring a target activity, most notably displays, over considerable ranges. Other targets have been considered resistant to such attacks or do not exhibit sufficient electromagnetic leakage for practical exploitation. Radio-frequency retroreflector attacks (RFRA) were developed to enable covert, active monitoring of a target by implanting a minimal hardware Trojan. These implants, typically implemented using discrete components such as transistors or diodes, do not betray their presence by emitting signals themselves; rather, they modulate the electromagnetic reflectivity of the target depending on the probed signal line data. Prior RFRA work has demonstrated their viability against video links and low-speed peripheral interfaces. In this work, we extend the applicability of RFRA to high-speed targets by presenting a successful attack on the 100BASE-TX Ethernet standard. We describe the design and realization of a compact implant capable of recovering the MLT-3 encoded signaling used in Fast Ethernet, as well as a dedicated demodulation and interpretation pipeline that mitigates errors introduced by the radio channel and maximizes the amount of recovered information. Experimental results validate the feasibility of covertly monitoring Fast Ethernet traffic using RF retroreflection and highlight the viability of such attacks for high-speed links.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

The paper shows a working retroreflector implant that recovers 100BASE-TX traffic via MLT-3 modulation and a custom error-mitigating demodulator.

read the letter

The core result is that a compact discrete-component implant can exfiltrate data from a Fast Ethernet link by modulating the reflectivity of an external RF probe. The authors extend earlier retroreflector attacks from video and low-speed ports to 100BASE-TX, which means dealing with the 125 Mbaud MLT-3 encoding and building a pipeline that compensates for radio-channel distortion to recover usable bits. Their experiments confirm the approach produces recoverable traffic in practice, which moves the idea from concept to demonstrated hardware on a common high-speed wired interface. The implant design and the demodulation steps are the concrete contributions that make the extension possible. The stress-test concern about modulator bandwidth is reasonable on paper, since discrete transistors and diodes carry parasitic capacitance that can limit clean switching near 100 MHz. However, the reported results indicate the reflected signal stayed usable enough for the pipeline to extract data, so the implementation cleared the practical threshold in their tests. More eye diagrams or bandwidth measurements would make that part tighter, but it is not a load-bearing gap given the experimental outcome. This work is aimed at researchers in hardware security and electromagnetic side channels who care about physical-layer attacks on network links. A reader already following RF retroreflector techniques will get direct value from the MLT-3-specific details and the recovery pipeline. It deserves peer review so the schematics, measurement conditions, and bit-recovery rates can be examined in full.

Referee Report

2 major / 1 minor

Summary. The paper claims to extend radio-frequency retroreflector attacks (RFRA) to high-speed targets by designing and realizing a compact hardware Trojan implant that recovers MLT-3 encoded 100BASE-TX Ethernet signaling via modulated reflectivity, together with a dedicated demodulation and interpretation pipeline that mitigates radio-channel errors; experimental results are asserted to validate the feasibility of covertly monitoring Fast Ethernet traffic.

Significance. If the central experimental claim holds, the work meaningfully broadens the demonstrated applicability of passive retroreflector Trojans from low-speed peripherals and video links to 100 Mbps wired Ethernet, providing concrete evidence that previously resistant high-speed interfaces can be targeted with minimal, non-emitting implants. The emphasis on a purpose-built error-mitigation pipeline represents a practical engineering contribution that could inform both offensive security research and defensive physical-layer protections.

major comments (2)

[Experimental validation section] Experimental validation section: the manuscript asserts that experiments confirm feasibility of recovering 125 Mbaud MLT-3 signaling, yet reports no quantitative metrics (modulator bandwidth, reflected-signal eye diagrams, or bit-error-rate curves) that would demonstrate the discrete-component retroreflector can track the required symbol rate without fatal inter-symbol interference or low-pass filtering from parasitics.
[Implant design description] Implant design description: the claim that a transistor/diode-based compact implant suffices for MLT-3 modulation at 125 Mbaud is load-bearing for the central contribution, but the text provides no circuit analysis, SPICE simulation, or measured frequency response addressing the finite switching times and parasitic capacitance that conventionally limit such modulators well below 100 MHz.

minor comments (1)

[Abstract] The abstract and introduction would benefit from a brief statement of the achieved data rate and error rate after pipeline processing to allow readers to gauge practical utility without reading the full experimental section.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the careful review and for recognizing the potential significance of extending RFRA techniques to high-speed wired interfaces. We address each major comment below and commit to revisions that strengthen the presentation of experimental evidence and design details without altering the core claims.

read point-by-point responses

Referee: [Experimental validation section] Experimental validation section: the manuscript asserts that experiments confirm feasibility of recovering 125 Mbaud MLT-3 signaling, yet reports no quantitative metrics (modulator bandwidth, reflected-signal eye diagrams, or bit-error-rate curves) that would demonstrate the discrete-component retroreflector can track the required symbol rate without fatal inter-symbol interference or low-pass filtering from parasitics.

Authors: We agree that additional quantitative metrics would improve the rigor of the experimental validation section. The current manuscript demonstrates end-to-end feasibility through successful recovery of 100BASE-TX frames, but does not present explicit modulator bandwidth measurements, reflected-signal eye diagrams, or BER curves. In the revised version we will incorporate these data, including measured frequency response of the retroreflector and BER performance across channel conditions, to directly address concerns about inter-symbol interference and parasitic filtering at 125 Mbaud. revision: yes
Referee: [Implant design description] Implant design description: the claim that a transistor/diode-based compact implant suffices for MLT-3 modulation at 125 Mbaud is load-bearing for the central contribution, but the text provides no circuit analysis, SPICE simulation, or measured frequency response addressing the finite switching times and parasitic capacitance that conventionally limit such modulators well below 100 MHz.

Authors: We acknowledge that the implant design section would be strengthened by explicit circuit-level support. The discrete-component modulator was selected and tuned for MLT-3 levels, with experimental operation at the target rate serving as primary validation. To address the referee's point, the revision will add SPICE simulations of the modulator, together with measured frequency-response data, to quantify switching times and parasitic effects and confirm that the design remains viable at 125 Mbaud. revision: yes

Circularity Check

0 steps flagged

No circularity: experimental hardware validation with no derivation chain

full rationale

The paper describes the design, realization, and experimental testing of a discrete-component retroreflector implant for 100BASE-TX MLT-3 signaling, plus a demodulation pipeline. No equations, first-principles derivations, fitted parameters renamed as predictions, or load-bearing self-citations appear in the provided text. Claims rest on physical implementation and empirical results rather than any self-referential reduction. This is the expected non-finding for an engineering demonstration paper.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

The central claim rests on the physical feasibility of modulating cable reflectivity at Ethernet signaling rates and the ability of the demodulator to extract usable data from the reflected signal; no explicit free parameters, axioms, or invented entities are stated in the abstract.

pith-pipeline@v0.9.0 · 5533 in / 976 out tokens · 39715 ms · 2026-05-08T18:42:32.309679+00:00 · methodology

discussion (0)

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

IndisputableMonolith.Foundation.ArithmeticFromLogic (LogicNat / initial Peano) unrelated; LFSR period is an IEEE 802.3 design choice, not an RS-forced 8-tick or φ-period structure unclear

?

unclear
Relation between the paper passage and the cited Recognition theorem.

The scrambler is implemented using an 11-bit linear feedback shift register (LFSR) defined by the polynomial x^11 − x^9 − 1 ... maximal-length pseudo-random sequence of 2^11 − 1 = 2047 bits

What do these tags mean?

matches: The paper's claim is directly supported by a theorem in the formal canon.
supports: The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends: The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses: The paper appears to rely on the theorem as machinery.
contradicts: The paper's claim conflicts with a theorem or certificate in the canon.
unclear: Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

24 extracted references · 24 canonical work pages

[2]

Electromagnetic eavesdropping risks of flat-panel displays,

M. G. Kuhn, “Electromagnetic eavesdropping risks of flat-panel displays,” inInternational Symposium on Privacy Enhancing Technologies, 2004. [Online]. Available: https://api.semanticscholar. org/CorpusID:16596308

work page 2004
[3]

Compromising emanations of lcd tv sets,

——, “Compromising emanations of lcd tv sets,” in2011 IEEE International Symposium on Electromagnetic Compatibility. Long Beach, CA, USA: IEEE, Aug. 2011, pp. 931–936. [Online]. Available: http://ieeexplore.ieee.org/document/6038442/

work page arXiv 2011
[4]

Information recovery using electromagnetic emanations from display devices under realistic environment,

H. S. Lee, D. H. Choi, K. Sim, and J.-G. Yook, “Information recovery using electromagnetic emanations from display devices under realistic environment,”IEEE Transactions on Electromagnetic Compatibility, vol. 61, no. 4, pp. 1098–1106, 2019

work page 2019
[5]

Eavesdropping risks of the displayport video interface,

D. Erdeljan, “Eavesdropping risks of the displayport video interface,” Ph.D. dissertation, Apollo - University of Cambridge Repository, 2023. [Online]. Available: https://doi.org/10.17863/CAM.106182

work page doi:10.17863/cam.106182 2023
[6]

Electromagnetic Eavesdropping on DisplayPort,

D. Erdeljan and M. G. Kuhn, “Electromagnetic Eavesdropping on DisplayPort,”IEEE Transactions on Dependable and Secure Computing, pp. 1–18, 2026. [Online]. Available: https://ieeexplore.ieee. org/document/11352973/

work page arXiv 2026
[7]

The threat of information theft by reception of electromagnetic radiation from RS-232 cables,

P. Smulders, “The threat of information theft by reception of electromagnetic radiation from RS-232 cables,”Computers & Security, vol. 9, no. 1, pp. 53–58, Feb. 1990. [Online]. Available: https: //linkinghub.elsevier.com/retrieve/pii/016740489090157O

work page arXiv 1990
[8]

Compromising electromagnetic emanations of wired and wireless keyboards,

M. Vuagnoux and S. Pasini, “Compromising electromagnetic emanations of wired and wireless keyboards,” inProceedings of the 18th Conference on USENIX Security Symposium, ser. SSYM’09. USA: USENIX Association, 2009, p. 1–16

work page 2009
[9]

Trust the wire, they always told me! on practical non-destructive wire-tap attacks against ethernet,

M. Schulz, P. Klapper, M. Hollick, E. Tews, and S. Katzenbeisser, “Trust the wire, they always told me! on practical non-destructive wire-tap attacks against ethernet,” inProceedings of the 9th ACM Conference on Security & Privacy in Wireless and Mobile Networks, ser. WiSec ’16. New York, NY , USA: Association for Computing Machinery, 2016, p. 43–48. [Onl...

work page doi:10.1145/2939918.2940650 2016
[10]

Leon Theremin (Lev Termen),

P. Nikitin, “Leon Theremin (Lev Termen),”IEEE Antennas and Propagation Magazine, vol. 54, no. 5, pp. 252–257, Oct. 2012. [Online]. Available: http://ieeexplore.ieee.org/document/6348173/

work page arXiv 2012
[11]

(2008 (redaction)) NSA ANT catalog

NSA. (2008 (redaction)) NSA ANT catalog

work page 2008
[12]

A feasibility study of radio-frequency retroreflector attack,

S. Wakabayashi, S. Maruyama, T. Mori, S. Goto, M. Kinugawa, Y . Hayashi, and M. Smith, “A feasibility study of radio-frequency retroreflector attack,” in12th USENIX Workshop on Offensive Technologies (WOOT 18). Baltimore, MD: USENIX Association, Aug

work page
[13]

Available: https://www.usenix.org/conference/woot18/ presentation/wakabayashi

[Online]. Available: https://www.usenix.org/conference/woot18/ presentation/wakabayashi

work page
[14]

Electromagnetic information extortion from electronic devices using interceptor and its countermeasure,

M. Kinugawa, D. Fujimoto, and Y . Hayashi, “Electromagnetic information extortion from electronic devices using interceptor and its countermeasure,”IACR Transactions on Cryptographic Hardware and Embedded Systems, vol. 2019, no. 4, p. 62–90, Aug. 2019. [Online]. Available: https://tches.iacr.org/index.php/TCHES/article/view/8345

work page 2019
[15]

Diode-based multi-trojan rf retroreflector attack,

P. Granier, M.-A. Nicolas, J. Lorandel, C. Moy, P. Besnier, M. Davy, and F. Sarrazin, “Diode-based multi-trojan rf retroreflector attack,” in 2025 International Symposium on Electromagnetic Compatibility – EMC Europe, 2025, pp. 784–789

work page 2025
[16]

Wireless Eavesdropping on Wired Audio With Radio- Frequency Retroreflector Attack,

G. Wang, Z. Shi, Y . Yang, Z. An, G. Zhang, P. Hu, X. Cheng, and J. Cao, “Wireless Eavesdropping on Wired Audio With Radio- Frequency Retroreflector Attack,”IEEE Transactions on Mobile Computing, vol. 24, no. 4, pp. 3178–3195, Apr. 2025. [Online]. Available: https://ieeexplore.ieee.org/document/10766401/

work page arXiv 2025
[17]

Ieee standard for ethernet,

“Ieee standard for ethernet,”IEEE Std 802.3-2022 (Revision of IEEE Std 802.3-2018), pp. 1–7025, 2022

work page 2022
[18]

Factory communications at the dawn of the fourth industrial revolution,

C. Zunino, A. Valenzano, R. Obermaisser, and S. Petersen, “Factory communications at the dawn of the fourth industrial revolution,” Computer Standards & Interfaces, vol. 71, p. 103433, 2020. [Online]. Available: https://www.sciencedirect.com/science/article/pii/ S0920548919300868

work page 2020
[19]

A survey on dns encryption: Current development, malware misuse, and inference techniques,

M. Lyu, H. H. Gharakheili, and V . Sivaraman, “A survey on dns encryption: Current development, malware misuse, and inference techniques,”ACM Computing Surveys, vol. 55, no. 8, p. 1–28, Dec

work page
[20]

Available: http://dx.doi.org/10.1145/3547331

[Online]. Available: http://dx.doi.org/10.1145/3547331

work page doi:10.1145/3547331
[21]

Os fingerprinting: New techniques and a study of information gain and obfuscation,

B. Anderson and D. McGrew, “Os fingerprinting: New techniques and a study of information gain and obfuscation,” 2017. [Online]. Available: https://arxiv.org/abs/1706.08003

work page arXiv 2017
[22]

M. Ossmann. (2014) The NSA playset: RF retroreflectors. [Online]. Available: https://archive.org/details/nsaplayset-toorcamp2014

work page 2014
[23]

Scikit-learn: Machine learning in python,

F. Pedregosa, G. Varoquaux, A. Gramfort, V . Michel, B. Thirion, O. Grisel, M. Blondel, P. Prettenhofer, R. Weiss, V . Dubourg, J. Vanderplas, A. Passos, D. Cournapeau, M. Brucher, M. Perrot, and ´Edouard Duchesnay, “Scikit-learn: Machine learning in python,” Journal of Machine Learning Research, vol. 12, no. 85, pp. 2825–2830,

work page
[24]

Available: http://jmlr.org/papers/v12/pedregosa11a.html

[Online]. Available: http://jmlr.org/papers/v12/pedregosa11a.html

work page
[25]

LIBSVM: A library for support vector machines,

C.-C. Chang and C.-J. Lin, “LIBSVM: A library for support vector machines,”ACM Transactions on Intelligent Systems and Technology, vol. 2, pp. 27:1–27:27, 2011, software available at http://www.csie.ntu. edu.tw/∼cjlin/libsvm

work page 2011

[1] [2]

Electromagnetic eavesdropping risks of flat-panel displays,

M. G. Kuhn, “Electromagnetic eavesdropping risks of flat-panel displays,” inInternational Symposium on Privacy Enhancing Technologies, 2004. [Online]. Available: https://api.semanticscholar. org/CorpusID:16596308

work page 2004

[2] [3]

Compromising emanations of lcd tv sets,

——, “Compromising emanations of lcd tv sets,” in2011 IEEE International Symposium on Electromagnetic Compatibility. Long Beach, CA, USA: IEEE, Aug. 2011, pp. 931–936. [Online]. Available: http://ieeexplore.ieee.org/document/6038442/

work page arXiv 2011

[3] [4]

Information recovery using electromagnetic emanations from display devices under realistic environment,

H. S. Lee, D. H. Choi, K. Sim, and J.-G. Yook, “Information recovery using electromagnetic emanations from display devices under realistic environment,”IEEE Transactions on Electromagnetic Compatibility, vol. 61, no. 4, pp. 1098–1106, 2019

work page 2019

[4] [5]

Eavesdropping risks of the displayport video interface,

D. Erdeljan, “Eavesdropping risks of the displayport video interface,” Ph.D. dissertation, Apollo - University of Cambridge Repository, 2023. [Online]. Available: https://doi.org/10.17863/CAM.106182

work page doi:10.17863/cam.106182 2023

[5] [6]

Electromagnetic Eavesdropping on DisplayPort,

D. Erdeljan and M. G. Kuhn, “Electromagnetic Eavesdropping on DisplayPort,”IEEE Transactions on Dependable and Secure Computing, pp. 1–18, 2026. [Online]. Available: https://ieeexplore.ieee. org/document/11352973/

work page arXiv 2026

[6] [7]

The threat of information theft by reception of electromagnetic radiation from RS-232 cables,

P. Smulders, “The threat of information theft by reception of electromagnetic radiation from RS-232 cables,”Computers & Security, vol. 9, no. 1, pp. 53–58, Feb. 1990. [Online]. Available: https: //linkinghub.elsevier.com/retrieve/pii/016740489090157O

work page arXiv 1990

[7] [8]

Compromising electromagnetic emanations of wired and wireless keyboards,

M. Vuagnoux and S. Pasini, “Compromising electromagnetic emanations of wired and wireless keyboards,” inProceedings of the 18th Conference on USENIX Security Symposium, ser. SSYM’09. USA: USENIX Association, 2009, p. 1–16

work page 2009

[8] [9]

Trust the wire, they always told me! on practical non-destructive wire-tap attacks against ethernet,

M. Schulz, P. Klapper, M. Hollick, E. Tews, and S. Katzenbeisser, “Trust the wire, they always told me! on practical non-destructive wire-tap attacks against ethernet,” inProceedings of the 9th ACM Conference on Security & Privacy in Wireless and Mobile Networks, ser. WiSec ’16. New York, NY , USA: Association for Computing Machinery, 2016, p. 43–48. [Onl...

work page doi:10.1145/2939918.2940650 2016

[9] [10]

Leon Theremin (Lev Termen),

P. Nikitin, “Leon Theremin (Lev Termen),”IEEE Antennas and Propagation Magazine, vol. 54, no. 5, pp. 252–257, Oct. 2012. [Online]. Available: http://ieeexplore.ieee.org/document/6348173/

work page arXiv 2012

[10] [11]

(2008 (redaction)) NSA ANT catalog

NSA. (2008 (redaction)) NSA ANT catalog

work page 2008

[11] [12]

A feasibility study of radio-frequency retroreflector attack,

S. Wakabayashi, S. Maruyama, T. Mori, S. Goto, M. Kinugawa, Y . Hayashi, and M. Smith, “A feasibility study of radio-frequency retroreflector attack,” in12th USENIX Workshop on Offensive Technologies (WOOT 18). Baltimore, MD: USENIX Association, Aug

work page

[12] [13]

Available: https://www.usenix.org/conference/woot18/ presentation/wakabayashi

[Online]. Available: https://www.usenix.org/conference/woot18/ presentation/wakabayashi

work page

[13] [14]

Electromagnetic information extortion from electronic devices using interceptor and its countermeasure,

M. Kinugawa, D. Fujimoto, and Y . Hayashi, “Electromagnetic information extortion from electronic devices using interceptor and its countermeasure,”IACR Transactions on Cryptographic Hardware and Embedded Systems, vol. 2019, no. 4, p. 62–90, Aug. 2019. [Online]. Available: https://tches.iacr.org/index.php/TCHES/article/view/8345

work page 2019

[14] [15]

Diode-based multi-trojan rf retroreflector attack,

P. Granier, M.-A. Nicolas, J. Lorandel, C. Moy, P. Besnier, M. Davy, and F. Sarrazin, “Diode-based multi-trojan rf retroreflector attack,” in 2025 International Symposium on Electromagnetic Compatibility – EMC Europe, 2025, pp. 784–789

work page 2025

[15] [16]

Wireless Eavesdropping on Wired Audio With Radio- Frequency Retroreflector Attack,

G. Wang, Z. Shi, Y . Yang, Z. An, G. Zhang, P. Hu, X. Cheng, and J. Cao, “Wireless Eavesdropping on Wired Audio With Radio- Frequency Retroreflector Attack,”IEEE Transactions on Mobile Computing, vol. 24, no. 4, pp. 3178–3195, Apr. 2025. [Online]. Available: https://ieeexplore.ieee.org/document/10766401/

work page arXiv 2025

[16] [17]

Ieee standard for ethernet,

“Ieee standard for ethernet,”IEEE Std 802.3-2022 (Revision of IEEE Std 802.3-2018), pp. 1–7025, 2022

work page 2022

[17] [18]

Factory communications at the dawn of the fourth industrial revolution,

C. Zunino, A. Valenzano, R. Obermaisser, and S. Petersen, “Factory communications at the dawn of the fourth industrial revolution,” Computer Standards & Interfaces, vol. 71, p. 103433, 2020. [Online]. Available: https://www.sciencedirect.com/science/article/pii/ S0920548919300868

work page 2020

[18] [19]

A survey on dns encryption: Current development, malware misuse, and inference techniques,

M. Lyu, H. H. Gharakheili, and V . Sivaraman, “A survey on dns encryption: Current development, malware misuse, and inference techniques,”ACM Computing Surveys, vol. 55, no. 8, p. 1–28, Dec

work page

[19] [20]

Available: http://dx.doi.org/10.1145/3547331

[Online]. Available: http://dx.doi.org/10.1145/3547331

work page doi:10.1145/3547331

[20] [21]

Os fingerprinting: New techniques and a study of information gain and obfuscation,

B. Anderson and D. McGrew, “Os fingerprinting: New techniques and a study of information gain and obfuscation,” 2017. [Online]. Available: https://arxiv.org/abs/1706.08003

work page arXiv 2017

[21] [22]

M. Ossmann. (2014) The NSA playset: RF retroreflectors. [Online]. Available: https://archive.org/details/nsaplayset-toorcamp2014

work page 2014

[22] [23]

Scikit-learn: Machine learning in python,

F. Pedregosa, G. Varoquaux, A. Gramfort, V . Michel, B. Thirion, O. Grisel, M. Blondel, P. Prettenhofer, R. Weiss, V . Dubourg, J. Vanderplas, A. Passos, D. Cournapeau, M. Brucher, M. Perrot, and ´Edouard Duchesnay, “Scikit-learn: Machine learning in python,” Journal of Machine Learning Research, vol. 12, no. 85, pp. 2825–2830,

work page

[23] [24]

Available: http://jmlr.org/papers/v12/pedregosa11a.html

[Online]. Available: http://jmlr.org/papers/v12/pedregosa11a.html

work page

[24] [25]

LIBSVM: A library for support vector machines,

C.-C. Chang and C.-J. Lin, “LIBSVM: A library for support vector machines,”ACM Transactions on Intelligent Systems and Technology, vol. 2, pp. 27:1–27:27, 2011, software available at http://www.csie.ntu. edu.tw/∼cjlin/libsvm

work page 2011