A Framework for Evaluating Security in the Presence of Signal Injection Attacks

  • Ilias GiechaskielEmail author
  • Youqian Zhang
  • Kasper B. Rasmussen
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11735)


Sensors are embedded in security-critical applications from medical devices to nuclear power plants, but their outputs can be spoofed through electromagnetic and other types of signals transmitted by attackers at a distance. To address the lack of a unifying framework for evaluating the effect of such transmissions, we introduce a system and threat model for signal injection attacks. We further define the concepts of existential, selective, and universal security, which address attacker goals from mere disruptions of the sensor readings to precise waveform injections. Moreover, we introduce an algorithm which allows circuit designers to concretely calculate the security level of real systems. Finally, we apply our definitions and algorithm in practice using measurements of injections against a smartphone microphone, and analyze the demodulation characteristics of commercial Analog-to-Digital Converters (ADCs). Overall, our work highlights the importance of evaluating the susceptibility of systems against signal injection attacks, and introduces both the terminology and the methodology to do so.


Signal injection attacks Non-linearities Security metrics Analog-to-Digital Converters Electromagnetic interference 


  1. 1.
    Bolshev, A., Larsen, J., Krotofil, M., Wightman, R.: A rising tide: design exploits in industrial control systems. In: USENIX Workshop on Offensive Technologies (WOOT) (2016)Google Scholar
  2. 2.
    Davidson, D., Wu, H., Jellinek, R., Singh, V., Ristenpart, T.: Controlling UAVs with sensor input spoofing attacks. In: USENIX Workshop on Offensive Technologies (WOOT) (2016)Google Scholar
  3. 3.
    Friis, H.T.: A note on a simple transmission formula. Proc. IRE (JRPROC) 34(5), 254–256 (1946)CrossRefGoogle Scholar
  4. 4.
    Fu, K., Xu, W.: Risks of trusting the physics of sensors. Commun. ACM 61(2), 20–23 (2018)CrossRefGoogle Scholar
  5. 5.
    Gago, J., Balcells, J., González, D., Lamich, M., Mon, J., Santolaria, A.: EMI susceptibility model of signal conditioning circuits based on operational amplifiers. IEEE Trans. Electromagn. Compat. 49(4), 849–859 (2007)CrossRefGoogle Scholar
  6. 6.
    Giechaskiel, I., Rasmussen, K.B.: Taxonomy and challenges of out-of-band signal injection attacks and defenses. arXiv:1901.06935 (2019)
  7. 7.
    Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988)MathSciNetCrossRefGoogle Scholar
  8. 8.
    Kasmi, C., Lopes-Esteves, J.: IEMI threats for information security: remote command injection on modern smartphones. IEEE Trans. Electromagn. Compat. 57(6), 1752–1755 (2015)CrossRefGoogle Scholar
  9. 9.
    Kune, D.F., et al.: Ghost talk: mitigating EMI signal injection attacks against analog sensors. In: IEEE Symposium on Security and Privacy (S&P) (2013)Google Scholar
  10. 10.
    Leone, M., Singer, H.L.: On the coupling of an external electromagnetic field to a printed circuit board trace. IEEE Trans. Electromagn. Compat. 41(4), 418–424 (1999)CrossRefGoogle Scholar
  11. 11.
    Lissner, A., Hoene, E., Stube, B., Guttowski, S.: Predicting the influence of placement of passive components on EMI behaviour. In: European Conference on Power Electronics and Applications (2007)Google Scholar
  12. 12.
    Park, Y.S., Son, Y., Shin, H., Kim, D., Kim, Y.: This ain’t your dose: sensor spoofing attack on medical infusion pump. In: USENIX Workshop on Offensive Technologies (WOOT) (2016)Google Scholar
  13. 13.
    Pelgrom, M.J.M.: Analog-to-Digital Conversion, 3rd edn. Springer, Cham (2017). Scholar
  14. 14.
    Petit, J., Stottelaar, B., Feiri, M., Kargl, F.: Remote attacks on automated vehicles sensors: experiments on camera and LiDAR. Black Hat Europe (2015)Google Scholar
  15. 15.
    Redouté, J.M., Steyaert, M.: EMC of Analog Integrated Circuits, 1st edn. Springer, Dordrecht (2009). Scholar
  16. 16.
    Roy, N., Hassanieh, H., Roy Choudhury, R.: BackDoor: making microphones hear inaudible sounds. In: International Conference on Mobile Systems, Applications, and Services (MobiSys) (2017)Google Scholar
  17. 17.
    Selvaraj, J., Dayanikli, G.Y., Gaunkar, N.P., Ware, D., Gerdes, R.M., Mina, M.: Electromagnetic induction attacks against embedded systems. In: Asia Conference on Computer and Communications Security (ASIACCS) (2018)Google Scholar
  18. 18.
    Shoukry, Y., Martin, P., Tabuada, P., Srivastava, M.: Non-invasive spoofing attacks for anti-lock braking systems. In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 55–72. Springer, Heidelberg (2013). Scholar
  19. 19.
    Shoukry, Y., Martin, P.D., Yona, Y., Diggavi, S., Srivastava, M.B.: PyCRA: physical challenge-response authentication for active sensors under spoofing attacks. In: Conference on Computer and Communications Security (CCS) (2015)Google Scholar
  20. 20.
    Son, Y., et al.: Rocking drones with intentional sound noise on gyroscopic sensors. In: USENIX Security Symposium (2015)Google Scholar
  21. 21.
    Sutu, Y.H., Whalen, J.J.: Statistics for demodulation RFI in operational amplifiers. In: International Symposium on Electromagnetic Compatibility (EMC) (1983)Google Scholar
  22. 22.
    Trippel, T., Weisse, O., Xu, W., Honeyman, P., Fu, K.: WALNUT: waging doubt on the integrity of MEMS accelerometers with acoustic injection attacks. In: IEEE European Symposium on Security and Privacy (EuroS&P) (2017)Google Scholar
  23. 23.
    Tu, Y., Lin, Z., Lee, I., Hei, X.: Injected and delivered: fabricating implicit control over actuation systems by spoofing inertial sensors. In: USENIX Security Symposium (2018)Google Scholar
  24. 24.
    Yan, C., Xu, W., Liu, J.: Can you trust autonomous vehicles: contactless attacks against sensors of self-driving vehicle. DEFCON (2016)Google Scholar
  25. 25.
    Zhang, G., Yan, C., Ji, X., Zhang, T., Zhang, T., Xu, W.: DolphinAttack: inaudible voice commands. In: Conference on Computer and Communications Security (CCS) (2017)Google Scholar
  26. 26.
    Zhang, Y., Rasmussen, K.B.: Detection of electromagnetic interference attacks on sensor systems. In: IEEE Symposium on Security and Privacy (S&P) (2020)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Ilias Giechaskiel
    • 1
    Email author
  • Youqian Zhang
    • 1
  • Kasper B. Rasmussen
    • 1
  1. 1.University of OxfordOxfordUK

Personalised recommendations