Electromagnetic Signal Injection Attacks
- Electromagnetic signal injection attacks are adversarial manipulations that exploit non-linear circuit behavior and unintended EM coupling to induce erroneous digital signals.
- They use RF or low-frequency fields to bypass channels in sensors, actuators, and mixed-signal electronics, challenging traditional EMI/EMC defenses.
- Demonstrations across differential buses, power conversion systems, imaging, LiDAR, and EV charging confirm these attacks expose critical vulnerabilities in safety-critical devices.
Searching arXiv for recent and foundational papers on electromagnetic signal injection attacks across actuators, differential signaling, cameras, LiDAR, power systems, and fault injection. Electromagnetic signal injection attacks are a major subset of out-of-band signal injection attacks: adversarial manipulations of interfaces not intended for communication involving sensors and actuators that cause a mismatch between the true physical property being measured or acted upon and its digitized version. In these attacks, RF or low-frequency electromagnetic fields couple into unintended antennas such as wires, traces, leads, and cables; amplifiers, comparators, ESD protection, ADCs, transceivers, and other mixed-signal elements then rectify, demodulate, alias, or otherwise translate that energy into accepted low-frequency measurements, logic transitions, control values, or image data (Giechaskiel et al., 2019, Giechaskiel et al., 2019).
1. Definitions, scope, and conceptual boundaries
Electromagnetic signal injection is ordinarily framed as a security problem in the analog domain rather than as a protocol compromise. The surveyed terminology defines out-of-band signal injection attacks as adversarial manipulations of interfaces not intended for communication involving sensors or actuators, and electromagnetic attacks fit this definition when an attacker uses RF or low-frequency EM fields to inject signals into sensor or actuator paths or mixed-signal electronics that were not meant to receive such fields (Giechaskiel et al., 2019). They are out of band in two senses: the attack may use signals outside the intended operating band, and it may also use an unintended physical channel, such as EM coupling into a circuit whose intended interface is optical, acoustic, thermal, mechanical, or purely local electrical wiring (Giechaskiel et al., 2019).
A central distinction is between unintentional EMI and deliberate signal injection. Normal EMI is unintentional, typically broadband or not time-coordinated, and is traditionally handled with shielding, filtering, and EMC practices. Deliberate EM signal injection is instead a tailored, high-power interference designed to appear as a valid signal inside the victim electronics: the attacker selects frequency to maximize coupling, exploits non-linearities to translate RF to baseband, and chooses waveform and timing to perturb or overshadow the legitimate signal (Zhang et al., 2022). The literature therefore treats classical EMI/EMC, side-channel leakage, and signal injection as closely related but not identical: the same unintentional antenna that leaks side-channel emissions can also receive attacker EM, and the same non-linear analog stage that distorts EMI can demodulate an injected carrier (Giechaskiel et al., 2019).
One persistent misconception is that some interface styles are intrinsically immune. Differential signaling is a prominent example. Because a receiver is expected to reject common-mode noise by looking only at the difference between two complementary conductors, it has often been assumed that remote injection is infeasible. That assumption is explicitly challenged by attacks that inject malicious signals from a distance purely using common-mode injection and nonetheless force bit errors or full messages on real differential buses (Zhang et al., 2022).
2. Physical and electrical mechanisms
The physical basis begins with the fact that every conductor can behave as an antenna. Sensor leads, actuator cables, PCB traces, and communication pairs have nonzero length and geometry, are exposed to environmental fields, and couple most strongly near resonant lengths such as approximately or in simple cases (Giechaskiel et al., 2019, Zhang et al., 2022). In actuator systems, this coupling is commonly abstracted into transfer functions such as for the control wire and for the drive wire, with induced signal strength modeled as proportional to transmitted power and shaped by frequency selectivity, distance, geometry, and orientation (Zhang et al., 2022).
For out-of-band attacks, the attacker often transmits a modulated carrier,
where is the malicious baseband waveform. The target circuitry then performs the effective demodulation. A standard model expands the non-linear response as
or, more generally for an analog stage,
These non-linearities generate DC offsets, harmonics, and intermodulation terms, including low-frequency components that fall into the operational band of the victim (Zhang et al., 2022, Giechaskiel et al., 2019). ESD diodes are especially important because they clamp inputs beyond the rails, introduce rectification and clipping, and produce DC shifts or low-frequency components proportional to the RF envelope (Giechaskiel et al., 2019).
The sample-and-hold stage of an ADC further shapes the effect. Its RC transfer function,
acts as a low-pass filter, but this does not preclude attacks: high-frequency carriers can still be demodulated in front of or inside the ADC, leaving baseband terms that pass through and are digitized (Giechaskiel et al., 2019). Aliasing adds another route by which high-frequency energy can appear as plausible low-frequency content after sampling (Giechaskiel et al., 2019).
Differential buses illustrate a complementary mechanism. If an attacker adds approximately the same RF waveform to both wires of a pair, the differential mode may remain nominally unchanged, but non-ideal common-mode rejection and non-linear behavior in the subtractor and receiver create an effective disturbance at the decision point. The subtractor is modeled as
where 0 and 1 are the differential and common-mode gains, 2 captures non-linear distortion, and 3 is the injected common-mode waveform. At sufficiently high frequency, degraded CMRR and rectification in ESD and input-buffer circuitry convert common-mode RF into a quasi-DC shift that pushes the sampled voltage across logic thresholds (Zhang et al., 2022).
3. Threat models and formal security notions
A general evaluative framework models the attack path with two transfer functions: 4 for circuit and coupling effects from the attacker to the ADC input, and 5 for the ADC and analog front-end behavior (Giechaskiel et al., 2019). The attacker controls only the injected waveform 6 and is assumed to know 7, 8, and the noise distribution. To make the model comparable across systems, the adversary is treated as voltage-bounded: 9 for all 0, where 1 abstracts transmit power, coupling efficiency, distance, and shielding (Giechaskiel et al., 2019).
The same framework distinguishes three attacker goals. Existential injection seeks any nontrivial disturbance; selective injection seeks a specific waveform; universal injection seeks arbitrary representable waveforms. These correspond to universal, selective, and existential security, respectively, and are defined in terms of quantization error, sampling error, bounded noise, and the probability that the ADC output deviates from or matches a target waveform within those bounds (Giechaskiel et al., 2019). A representable waveform, in this terminology, must lie within the ADC input range and below the Nyquist limit (Giechaskiel et al., 2019).
Domain-specific papers often assume an even stronger adversary. For actuators, one formal threat model grants no physical access, full knowledge of actuator-system topology and parameters, knowledge of control waveform and timing, qualitative knowledge of the relevant transfer functions, and the ability to generate any physically realizable waveform at arbitrary power (Zhang et al., 2022). The only system-side limitation is that there exists a minimum effective attack power 2, below which even a perfectly crafted waveform has no meaningful physical effect (Zhang et al., 2022). This worst-case posture is consistent with the broader literature: the difficulty is rarely in describing a malicious waveform, but in forcing it through an unintended analog path with enough fidelity.
4. Target classes and representative attack effects
Electromagnetic signal injection has been demonstrated against a wide range of targets, from buses and microcontrollers to actuators, power converters, and charging infrastructure.
| Domain | Injection locus | Representative effect |
|---|---|---|
| Differential buses | Common-mode RF on both wires | Bit flips and full message injection |
| Actuator systems | Control or drive wires | Direct motion, audio tones, state changes |
| Power conversion | Voltage/current feedback path | Mis-regulation, overcurrent, overvoltage |
| Microcontrollers and TEEs | Localized EMFI on internal logic or buses | Instruction replacement, secure-boot bypass |
| EV charging ports | CC/CP or S+/S– lines | Authentication spoofing, deadlock, CAN injection |
On differential buses, common-mode injection can force arbitrary bits and even arbitrary messages into a line; the paper’s real-system demonstration reaches a success rate as high as 3, and a case study wirelessly injects a message into a CAN bus used in automotive and aviation systems (Zhang et al., 2022). The analytical model parameterizes the effect with 4, the probability that RF flips a 5 to 6, and 7, the probability that RF flips a 8 to 9, then optimizes the attack according to prior knowledge of the legitimate bitstream (Zhang et al., 2022).
Actuator systems expose a different surface because the actuator itself is usually just an energy transducer with no CPU, memory, or protocol stack. It cannot authenticate the signal it receives and simply responds to whatever electrical signal is present on its terminals (Zhang et al., 2022). The literature reduces successful attacks to two logical points: control-signal injection on the low-power controller-to-driver line, and drive-signal injection on the high-power driver-to-actuator line. The former is easier; for motors, a simple estimate in the paper places drive-line injection at roughly 0 the power needed for control-line injection (Zhang et al., 2022). Demonstrated effects include arbitrary audio tones injected into a speaker system by exploiting the non-linearities of an LM386 audio amplifier, as well as prior examples of precise servo-angle control and power-converter switching manipulation via EM injection into PWM lines (Zhang et al., 2022).
Power-conversion systems show how a small measurement error can be amplified by feedback. If the controller enforces 1 but the sensed value is corrupted to 2, the attacked operating point becomes
3
so the regulator converges to the wrong physical output (Szakály et al., 2023). Experiments on AC-DC and DC-DC converters, automotive current sensors, and Li-ion chargers show systematic vulnerability across all examined categories, with ranged attacks demonstrated to about 4 m using approximately 5–6 dBm and a directional antenna. In one charger test, current increased from 7 A to 8 A at 9 m; in battery-overvoltage experiments, a real Li-ion cell was driven to about 0 V, its temperature rose to about 1C, and it eventually failed permanently (Szakály et al., 2023).
Electromagnetic fault injection (EMFI) targets the digital substrate rather than the analog signal path. On a 32-bit ARM Cortex-M3, a 10 ns pulse delivered by a small magnetic coil produced localized timing violations on instruction and data buses, yielding instruction replacement, data corruption, exceptions, and metastable multi-bit faults. For loads from Flash, the observed corruption displayed a marked set-at-1 trend as amplitude increased (Moro et al., 2014). The same attack class has been carried into TEE research: secure-boot bypass on a Broadcom SoC was reported with a 2 success rate; coordinated EM side-channel timing plus EMFI bypassed Android secure boot with 3 successes in 4 injections; and EMFI against Qualcomm QSEE bypassed range checks in about 5 of trials (Joy et al., 2024).
Recent work on EV charging ports extends the same underlying idea to a contact-based, wired form of physical-layer signal injection. Here, the attacker inserts a compact device into the connector and actively drives or emulates the low-level analog signals—voltages, resistances, PWM waveforms, and CAN frames—that chargers use for authentication and control. Across 7 charging standards used by 20 charger piles, the attacks produced denial of service, charger-gun deadlock, manipulated charging power, and CAN-level compromise, illustrating that the vulnerability is architectural whenever safety or authorization decisions are bound directly to unauthenticated analog variables (Shi et al., 19 Jun 2025).
5. Imaging and perception systems
Image sensors have become a major subfield of electromagnetic signal injection. For CCDs, the attack can be genuinely post-transducer: electromagnetic emanation couples into the electrical signal path after photodiodes have generated charge, allowing manipulation of the brightness of individual pixels. The measured pixel luminance is modeled as
6
where 7 is legitimate charge from light, 8 is maliciously induced signal charge, and 9 is the analog gain. Using this mechanism, a CCD camera was manipulated with granularity down to the brightness of individual pixels, and the injected distortion disrupted automated barcode scanning (Köhler et al., 2021).
For CMOS cameras and camera-based intelligent systems, the dominant abstraction in recent work is row corruption. Electromagnetic injection into the image signal transmission path causes some rows of pixels to be dropped; the system then reconstructs the frame by copying subsequent rows, creating visible color strips. One formalization represents the dropped rows as a strictly increasing tuple 0, and writes the performance impact as
1
where 2 is attributable to pixel loss and 3 to color strips (Kang et al., 2024). In the reported experiments, 4 correspond to 5, 6, 7, 8, 9, and 0 of total rows, and color strips account for approximately 1 of the overall performance drop on image classification (Kang et al., 2024).
A subsequent modeling paper built a simulation method for generating adversarial images from row-drop patterns and found that the effects of simulated adversarial images were indistinguishable from those from real attacks at the model-output level. Across classification, face recognition, monocular depth estimation, object detection, and instance segmentation, most models demonstrated vulnerabilities; in a pilot study, adversarial training improved robustness and recovered up to 2 performance (Zhang et al., 2024). Object-detection studies further reported that YOLOv8 and Faster R-CNN degraded substantially under real ESIA images, while Co-DETR was markedly more robust after fine-tuning, though not immune under stronger attacks (Zhang et al., 2024).
In traffic-scene perception for autonomous vehicles, a dedicated simulation framework on BDD100k showed strong scenario dependence. Highway scenes were the most vulnerable: scenario-level severe detection degradation reached 3, while severe drivable-area segmentation degradation reached 4 (Liao et al., 9 Jan 2025). The qualitative consequences included missed vehicles, drivable-area shrinkage, and, in some cases, segmentation of reverse lanes as drivable (Liao et al., 9 Jan 2025).
The camera literature has also begun to separate distinct artifact families. One line studies semi-transparent rainbow-like color artifacts induced in CMOS sensors through carefully tuned electromagnetic interference. For an OV5647 connected by a CSI-2 ribbon cable, rainbow artifacts appeared at a carrier frequency of 5 MHz with baseband frequencies between 6 and 7 kHz, and they propagated through the ISP pipeline to produce substantial degradation in modern object detectors (Zhang et al., 10 Jul 2025). Another line emphasizes color strips and row loss rather than rainbow patterns, but both results reinforce the same point: the entire sensing stack from analog front-end through ISP and ML model is part of the attack surface.
LiDAR extends the problem into cross-modality injection. By radiating RF energy into internal modules of an optical time-of-flight sensor, the PhantomLiDAR attack manipulates output through Points Interference, Points Injection, Points Removal, and LiDAR Power-Off on five COTS systems (Jin et al., 2024). The direct ranging model remains
8
but the EM signal perturbs the receiving circuit, monitoring sensors, or beam-steering encoder so that 9, diagnostic state, or rotational-speed measurement becomes wrong (Jin et al., 2024). Reported results include over 0 fake points per frame on a VLP-16, hiding of a car at distances up to at least 1 m in static tests, and moving-scenario hiding success rates above 2 (Jin et al., 2024).
6. Detection, mitigation, and open research directions
Defenses fall into several layers. Hardware and layout countermeasures aim to reduce coupling, linearize response, and prevent demodulation. The survey literature emphasizes differential signaling and symmetry, filtering induced RF before non-linear stages, using front-ends with wide linear range, shielding sensitive analog blocks, shielding signal and power cables, and careful feedthrough filtering. Differential comparators were reported to provide up to 3 dB attenuation in ECG and implantable medical-device settings, while a simple low-pass filter attenuated injected EM by about 4 dB in a headset attack (Giechaskiel et al., 2019). These measures help, but they do not eliminate the underlying problem: apertures, necessary cables, and magnetic fields all limit shielding performance, and aggressive filtering can degrade legitimate dynamics (Giechaskiel et al., 2019).
Sampling-based and software-assisted detection offer a different strategy. One class of methods uses secret on/off patterns and oversampling so that off-samples should read approximately zero; with an 5-bit secret, the probability of an undetected attack is approximately 6 (Giechaskiel et al., 2019). Randomized sampling schedules and dynamic sample rates likewise break the periodicities exploited by resonant or aliasing-based injection (Giechaskiel et al., 2019). For actuators, a practical detection method was demonstrated in which the microcontroller monitors the control signal and detects attacks as deviations from the intended value without high-rate sampling or signal processing; the paper reports that the method is general, easy to integrate, and can deal with adversaries with arbitrarily high transmission power (Zhang et al., 2022).
Camera-specific mitigations have begun to move beyond diagnosis. A lightweight image-level defense against ESIA uses median interpolation over a 7 neighborhood to reconstruct dropped pixels; it partially recovers classification performance under moderate attack strength but degrades sharply when 8–9 of rows are lost (Kang et al., 2024). More systematically, simulated ESIA artifacts have been used for adversarial training; in the reported object-detection study, performance recovery reached up to 0 under attack, indicating that robustness training with physically grounded artifacts can be effective even when clean-image fine-tuning alone is not (Zhang et al., 2024).
In feedback-controlled power systems, proposed defenses include redundant protection circuits, shielding, filtering on feedback and sensor lines, thermal fuses or PPTC devices, and higher-layer attack detection on sensors and actuators (Szakály et al., 2023). In practice, these are often last lines of defense rather than complete solutions. A plausible implication is that any mitigation architecture that still trusts a single analog measurement channel remains exposed to the same class of attack.
Open problems remain substantial. The survey literature explicitly identifies the search for optimal modulation schemes, precise actuator control via EM, reliable injection into highly integrated digital ICs, conducted EM attacks through mains infrastructure, standardized evaluation methodology, realistic range and power characterization, and eventual certification and regulation for safety- and security-critical devices (Giechaskiel et al., 2019). Recent results on cameras, LiDAR, TEEs, and EV charging ports indicate that the open challenge is not confined to one modality or one industry sector. The recurring technical theme is that the analog domain is part of the security boundary: wherever unauthenticated physical-layer signals are trusted as measurements, control values, or hardware states, electromagnetic signal injection remains a credible attack model.