Talking to the Airgap: Exploiting Radio-Less Embedded Devices as Radio Receivers

• URL: http://arxiv.org/abs/2512.15387v1
• Date: Wed, 17 Dec 2025 12:39:54 GMT
• Title: Talking to the Airgap: Exploiting Radio-Less Embedded Devices as Radio Receivers
• Authors: Paul Staat, Daniel Davidovich, Christof Paar,
• Abstract summary: We show that malicious code execution on embedded devices can enable wireless infiltration of airgapped systems without any hardware modification.<n>This phenomenon stems from parasitic RF sensitivity in PCB traces and on-chip analog-to-digital converters.<n>Our findings reveal a previously unexplored command-and-control vector for air-gapped systems.
• Score: 5.998725718715555
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Intelligent electronics are deeply embedded in critical infrastructures and must remain reliable, particularly against deliberate attacks. To minimize risks and impede remote compromise, sensitive systems can be physically isolated from external networks, forming an airgap. Yet, airgaps can still be infiltrated by capable adversaries gaining code execution. Prior research has shown that attackers can then attempt to wirelessly exfiltrate data across the airgap by exploiting unintended radio emissions. In this work, we demonstrate reversal of this link: malicious code execution on embedded devices can enable wireless infiltration of airgapped systems without any hardware modification. In contrast to previous infiltration methods that depend on dedicated sensors (e.g., microphones, LEDs, or temperature sensors) or require strict line-of-sight, we show that unmodified, sensor-less embedded devices can inadvertently act as radio receivers. This phenomenon stems from parasitic RF sensitivity in PCB traces and on-chip analog-to-digital converters (ADCs), allowing external transmissions to be received and decoded entirely in software. Across twelve commercially available embedded devices and two custom prototypes, we observe repeatable reception in the 300-1000 MHz range, with detectable signal power as low as 1 mW. To this end, we propose a systematic methodology to identify device configurations that foster such radio sensitivities and comprehensively evaluate their feasibility for wireless data reception. Exploiting these sensitivities, we demonstrate successful data reception over tens of meters, even in non-line-of-sight conditions and show that the reception sensitivities accommodate data rates of up to 100 kbps. Our findings reveal a previously unexplored command-and-control vector for air-gapped systems while challenging assumptions about their inherent isolation. [shortened]

Related papers

• Spectrum Shortage for Radio Sensing? Leveraging Ambient 5G Signals for Human Activity Detection [5.225254533678075]
  Ambient Radio Sensing (ARS) is an ISAC approach that addresses spectrum scarcity by repurposing over-the-air radio signals.<n>ARS operates as a standalone device that passively receives communication signals, amplifies them to illuminate surrounding objects, and captures the reflected signals.<n>We have developed a prototype of ARS and validated its effectiveness through extensive experiments using ambient 5G signals.
  arXiv  Detail & Related papers  (2026-03-03T23:18:03Z)
• Online Reliable Anomaly Detection via Neuromorphic Sensing and Communications [58.796149594878585]
  This paper proposes a low-power online anomaly detection framework based on neuromorphic wireless sensor networks.<n>In the considered system, a central reader node actively queries a subset of neuromorphic sensor nodes (neuro-SNs) at each time frame.<n>The neuromorphic sensors are event-driven, producing spikes in correspondence to relevant changes in the monitored system.
  arXiv  Detail & Related papers  (2025-10-16T13:56:54Z)
• Rydberg Atomic Quantum Receivers for Classical Wireless Communications and Sensing: Their Models and Performance [78.76421728334013]
  Rydberg atomic quantum receivers (RAQRs) are an eminent solution for detecting the electric field of radio frequency (RF) signals.<n>We introduce the RAQR to the wireless community by presenting an end-to-end reception scheme.<n>We then develop a corresponding equivalent baseband signal model relying on a realistic reception flow.
  arXiv  Detail & Related papers  (2024-12-07T06:25:54Z)
• A Computational Harmonic Detection Algorithm to Detect Data Leakage through EM Emanation [0.08192907805418582]
  Unintended electromagnetic emissions, called EM emanations, can be exploited to recover sensitive information.<n>Metal shielding, used by defense organizations to prevent data leakage, is costly and impractical for widespread use.<n>We propose a harmonic-based emanation detection method by developing a computational harmonic detection algorithm.
  arXiv  Detail & Related papers  (2024-10-09T14:40:15Z)
• RAMBO: Leaking Secrets from Air-Gap Computers by Spelling Covert Radio Signals from Computer RAM [1.74048653626208]
  We present an attack allowing adversaries to leak information from air-gapped computers. We show that malware on a compromised computer can generate radio signals from memory buses (RAM) With software-defined radio (SDR) hardware, and a simple off-the-shelf antenna, an attacker can intercept transmitted raw radio signals from a distance.
  arXiv  Detail & Related papers  (2024-09-03T21:06:04Z)
• Erasing Radio Frequency Fingerprints via Active Adversarial Perturbation [19.88283575742985]
  We consider a common RF fingerprinting scenario, where machine learning models are trained from pilot signal data for identification. A novel adversarial attack solution is designed to generate proper perturbations, whereby the pilot signal can hide the hardware feature and misclassify the model. Extensive experiment results demonstrate that the RF fingerprints can be effectively erased to protect the user privacy.
  arXiv  Detail & Related papers  (2024-06-11T15:16:05Z)
• Spatial-Domain Wireless Jamming with Reconfigurable Intelligent Surfaces [20.406776153173176]
  We propose a novel approach that allows for environment-adaptive spatial control of wireless jamming signals.<n>We demonstrate complete denial-of-service of a Wi-Fi device while a second device located at a distance as close as 5 mm remains unaffected.
  arXiv  Detail & Related papers  (2024-02-21T12:50:44Z)
• Physical-Layer Semantic-Aware Network for Zero-Shot Wireless Sensing [74.12670841657038]
  Device-free wireless sensing has recently attracted significant interest due to its potential to support a wide range of immersive human-machine interactive applications. Data heterogeneity in wireless signals and data privacy regulation of distributed sensing have been considered as the major challenges that hinder the wide applications of wireless sensing in large area networking systems. We propose a novel zero-shot wireless sensing solution that allows models constructed in one or a limited number of locations to be directly transferred to other locations without any labeled data.
  arXiv  Detail & Related papers  (2023-12-08T13:50:30Z)
• Autoencoder-based Radio Frequency Interference Mitigation For SMAP Passive Radiometer [6.5358895450258325]
  Radiometers operating in the 1400-1427 MHz protected frequency band face radio frequency interference (RFI) from terrestrial sources. This paper proposes an autoencoder-based RFI mitigation method to remove the dominant RFI caused by potential coexistent terrestrial users.
  arXiv  Detail & Related papers  (2023-04-25T21:37:51Z)
• Drone Detection and Tracking in Real-Time by Fusion of Different Sensing Modalities [66.4525391417921]
  We design and evaluate a multi-sensor drone detection system. Our solution integrates a fish-eye camera as well to monitor a wider part of the sky and steer the other cameras towards objects of interest. The thermal camera is shown to be a feasible solution as good as the video camera, even if the camera employed here has a lower resolution.
  arXiv  Detail & Related papers  (2022-07-05T10:00:58Z)
• GraSens: A Gabor Residual Anti-aliasing Sensing Framework for Action Recognition using WiFi [52.530330427538885]
  WiFi-based human action recognition (HAR) has been regarded as a promising solution in applications such as smart living and remote monitoring. We propose an end-to-end Gabor residual anti-aliasing sensing network (GraSens) to directly recognize the actions using the WiFi signals from the wireless devices in diverse scenarios.
  arXiv  Detail & Related papers  (2022-05-24T10:20:16Z)
• Robust learning from corrupted EEG with dynamic spatial filtering [68.82260713085522]
  Building machine learning models using EEG recorded outside of the laboratory requires robust methods to noisy data and randomly missing channels. We propose dynamic spatial filtering (DSF), a multi-head attention module that can be plugged in before the first layer of a neural network. We tested DSF on public EEG data encompassing 4,000 recordings with simulated channel corruption and on a private dataset of 100 at-home recordings of mobile EEG with natural corruption.
  arXiv  Detail & Related papers  (2021-05-27T02:33:16Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.