Secure Integrated Sensing & Communications
- Secure ISAC is a dual-functional framework that uses a single waveform for both communication and radar sensing, ensuring message confidentiality and sensing privacy.
- It employs joint optimization techniques—including waveform design, beamforming, and artificial noise injection—to balance rates, sensing utility, and security constraints.
- Physical-layer security measures and architecture-level strategies such as cooperative jamming and secure precoding mitigate threats from both passive eavesdroppers and active adversaries.
Searching arXiv for papers on secure ISAC to ground the article in the current literature. Secure Integrated Sensing and Communications (ISAC) denotes ISAC systems in which the same transmitted signal is used for communication and sensing while confidentiality, sensing privacy, and trustworthiness are enforced against passive and active adversaries. In 6G-oriented formulations, secure ISAC is motivated by the fact that joint waveform reuse can improve spectrum and energy efficiency, yet the same reuse also creates a dual-functional attack surface: communication users, sensing targets, passive eavesdroppers, and malicious targets may all infer information from the same waveform or from reflected echoes. Contemporary work therefore treats secure ISAC as a joint design problem over waveform construction, beamforming, artificial noise, sensing-assisted adaptation, and architecture-level protection rather than as a conventional add-on of encryption and key management alone (Su et al., 19 Mar 2025, Wei et al., 2021, Welling et al., 27 Apr 2026).
1. Canonical models and problem formulations
A standard secure-ISAC architecture consists of a dual-functional base station or access point equipped with transmit and receive antennas, single-antenna legitimate communication users, one or more radar or sensing endpoints, and passive eavesdroppers that may be collocated with sensing endpoints. In narrowband MISO formulations, the legitimate and eavesdropping channels are represented by and , while the sensing direction is represented through a steering vector . The propagation model commonly combines path-loss with , Rayleigh fading or LoS-dominated mmWave structure, and receiver noise variance , giving for a communication user (Su et al., 19 Mar 2025).
The unification of communication and sensing is usually cast as a constrained multi-objective design. A canonical formulation maximizes a weighted sum of communication utility and sensing utility,
0
where 1 denotes communication rate, 2 denotes radar utility such as beampattern matching or SCNR, and 3 enforces a secrecy-rate constraint. Pareto fronts are then traced by varying 4 (Wei et al., 2021).
Information-theoretic formulations generalize this structure to state-dependent channels in which a single waveform 5 simultaneously supports communication to legitimate receivers and sensing of an environment or target parameter 6, under either passive or active adversaries. Monostatic and bistatic models, wiretap/broadcast configurations, and MIMO extensions all appear in this literature. The resulting performance is often described through joint rate–distortion–secrecy regions rather than by communication secrecy alone (Welling et al., 27 Apr 2026).
2. Threat surface, leakage channels, and vulnerability classes
Secure ISAC enlarges the notion of leakage beyond message interception. A central observation is that sensing echoes themselves carry location, velocity, and shape information, so unauthorized communication users can passively intercept these echoes and infer environment maps. In mmWave settings, communication precoder indices can also leak CSI-dependent spatial information and thereby enable user-location inference. These are ISAC-specific privacy channels that do not arise in ordinary communication links in the same form (Su et al., 19 Mar 2025).
The threat taxonomy has been organized along several orthogonal axes. One classification distinguishes “signals as victims,” including jamming and spoofing/deceptive jamming; “signals as weapons,” including passive eavesdropping and active probing; and “signals as shields,” including physical-layer security based on beamforming, null-steering, and artificial noise. Passive threats leave the waveform unchanged and are analyzed through leakage quantities such as
7
whereas active threats inject spurious signals, as in pilot-contamination attacks (Thapa et al., 4 Jan 2026).
Vulnerabilities have further been divided into design, architectural, physical-layer, and computational levels. Predictable waveforms such as OFDM pilots create spoofing risk; monostatic self-interference can be exploited by timing-shift attacks; malicious RIS injection appears as unauthorized phase-shift tampering; side-lobe leakage exposes energy into an eavesdropping region; and in-sensor analog gaps create side-channel leakage measured in bits/s. This layered view is important because secure ISAC failures can propagate vertically across layers, horizontally across network nodes, or temporally through delayed backdoors (Thapa et al., 4 Jan 2026).
Ultra-low-latency and dense deployments intensify these issues. Ultra-low-latency precludes heavy encryption, high connectivity expands the attack surface, malicious targets can masquerade as communication users or eavesdrop on radar returns, and joint waveform reuse means that the same beam serving a communication user may also illuminate an eavesdropper. A recurrent point in the literature is that traditional null-steering can nullify sensing, so secure ISAC cannot be reduced to secure beamforming in a communication-only sense (Su et al., 19 Mar 2025).
3. Physical-layer security mechanisms
Physical-layer security in ISAC is dominated by three families of methods: artificial noise injection, cooperative jamming, and constructive interference or secure precoding. In artificial-noise designs, the transmit signal superposes an information-bearing component and an artificial-noise component under a total power budget,
8
The corresponding secrecy rate is expressed as
9
A power split 0, 1 is then optimized to trade off legitimate gain against eavesdropper degradation. In ISAC, 2 can also be steered to degrade the eavesdropper’s estimated sensing or communication channel while minimally affecting radar CRB (Su et al., 19 Mar 2025).
Cooperative jamming augments this picture by introducing friendly jammers whose beamformers are selected jointly with the base-station beamformer. The design criterion maximizes
3
with robust designs placing nulls at 4 and mainlobes at 5. The method improves secrecy when properly aligned, but excessive jamming can leak into the communication-user direction or degrade sensing performance (Su et al., 19 Mar 2025).
Constructive interference exploits symbol-level precoding to turn multi-user interference into a power gain for legitimate users while creating destructive interference toward Eve or a malicious target. For QPSK signaling, one representative formulation minimizes 6 subject to symbol-region constraints for all legitimate users and an Eve suppression constraint 7, yielding an SOCP. In ISAC, radar beampattern constraints of the form
8
are imposed simultaneously to preserve sensing quality (Su et al., 19 Mar 2025).
Earlier secure-ISAC work by Z. Wei and collaborators emphasized that sensing itself can be turned into a security resource. After an initial sensing stage, the angle 9 of Eve can be estimated and nulled through
0
while robust designs incorporate angular uncertainty sets and statistical CSI errors into semidefinite programs. The same line of work also described waveform randomization, directional modulation with few-bit phase shifters, and secure precoding that jointly serve constructive interference for legitimate users and destructive regions for Eve (Wei et al., 2021).
4. Secure architectures and hardware realizations
Secure ISAC is not only a waveform problem; several works formulate architecture-level deployment paths. In 5G Open RAN, a mono-static, half-duplex sensing architecture has been proposed in which a standard gNB is augmented by a synchronized receive-only “sniffer” radio unit. The design reuses the TDD frame structure, shares sensing processing between the sniffer RU and the DU, and uses existing fronthaul interfaces so that no changes to standard 7.2x or eCPRI protocols are required beyond a small extension for encrypted sensing frames. The sensing dataflow is explicit: compressed and quantized I/Q samples are mirrored to the sniffer RU, initial DSP produces range–Doppler frames, those frames are encrypted and integrity-protected, and higher-level radar tasks then run in the DU or near-RT RIC (Lindenschmitt et al., 21 Sep 2025).
This Open RAN architecture also makes the security boundary concrete. The threat model includes passive sensing from fronthaul taps, spoofing or replay of I/Q samples, and privacy breaches through unauthorized reconstruction of people’s motion or equipment status. Countermeasures include AES-GCM or similar encryption of I/Q streams and range–Doppler frames, mutual authentication between RU and DU using X.509 certificates or PKI, I/Q scrambling and compression, replay protection via sequence numbers and nonces, and trusted execution environments in RUs. Typical encryption overhead is under 1, and the design is described as comparable to 3GPP’s 5G-NR fronthaul security but extended to raw I/Q (Lindenschmitt et al., 21 Sep 2025).
A different architectural direction is the low-cost secure ISAC transceiver based on directional modulation. In that design, full RF chains and DACs are replaced by a network of phase shifters or parasitic elements, symbol-level modulation occurs at the antenna element, echoes are collected by a separate low-noise-amplifier chain, and a digital controller updates beamformer nulls and artificial-noise patterns from sensing outputs. This architecture explicitly links low-cost hardware constraints with sensing-aided PHY security (Wei et al., 2021).
Later hardware proposals increase spatial and electromagnetic degrees of freedom. Hybrid reconfigurable intelligent surfaces introduce a common power-splitting ratio 2 so that part of the impinging signal is reflected for secure communication and part is absorbed for bistatic sensing; compound reconfigurable antenna arrays jointly optimize EM-domain and baseband-domain precoders and combiners under pattern and polarization reconfiguration; and movable-antenna secure ISAC jointly optimizes beamforming and antenna positions under imperfect Eve CSI (Gavras et al., 29 Apr 2025, Liu et al., 22 Aug 2025, Chen et al., 5 Jun 2026).
5. Metrics, fundamental trade-offs, and representative results
Secure ISAC is evaluated by a broader metric set than secure communication alone. Common communication-security metrics include secrecy rate, secrecy outage, weak and strong secrecy, equivocation, BER or SER, and intercept probability. Sensing metrics include range resolution 3, angle resolution 4 for a ULA, detection probability 5, false-alarm probability 6, SCNR, radar Cramér–Rao bound, beam coverage, and position error bound. ISAC-specific privacy metrics include mutual-information leakage about the sensed state and unauthorized-estimator distortion, while covert formulations impose KL-type relative-entropy constraints (Wei et al., 2021, Welling et al., 27 Apr 2026).
Information-theoretic work expresses these interactions as a joint rate–distortion–leakage structure. One representative formulation defines
7
and later survey work summarizes secure ISAC as a three-dimensional trade-off among communication rate 8, sensing distortion 9, and security leakage or secrecy 0 (or secrecy rate 1). This formalization is useful because it places message confidentiality and sensing privacy in the same optimization space (Thapa et al., 4 Jan 2026, Welling et al., 27 Apr 2026).
Simulation studies report several concrete operating points. Artificial noise injection can increase secrecy rate by up to 2 at modest SNRs with only a 3 penalty on radar CRB. CI-DI achieves communication-user SER within 4 while Eve-SER stays above 5 even when the communication-user–Eve angular separation is 6. In sensing-assisted two-stage PHY security, omnidirectional probing reduces CRB from 7 to 8 over 9 iterations, and secrecy rate then grows by 0 as the angle estimate improves. A sensing-privacy artificial-noise design increases the mutual-information gap 1 from 2 to 3 bits/s/Hz as AN power rises from 4 to 5 of total power (Su et al., 19 Mar 2025).
Sensing-security-specific waveforms show a different trade-off. Ambiguity-function engineering for unauthorized passive radar eavesdroppers introduces ghost targets into Eve’s range profile, quantified through peak sidelobe level and integrated sidelobe level. In the reported results, Eve requires 6–7 more target power to achieve the same 8 under a CFAR detector, while Alice suffers only about 9 dB loss; Eve’s range-estimation RMSE also increases by more than 0 m on average (Han et al., 2 Oct 2025). Under multi-intercept threats based on power detection and cyclostationary analysis, a hybrid-beamforming OFDM-ISAC design reduces the interceptor’s collected power by about 1 dB at 2 dB and produces cyclic spectra that closely match AWGN (Xu et al., 28 Jun 2025).
Hardware-enabled secure ISAC reports additional gains. Movable-antenna beamforming yields up to 3 dB radar-SINR improvement over fixed-position arrays and maintains zero outage under increasing Eve-channel uncertainty, while compound reconfigurable antenna arrays report radar sensing gains of up to 4 dB over conventional beamforming with robust communication security maintained. In HRIS-enabled secure ISAC, both genie-aided and robust schemes achieve 5 m at the true UE/Eve positions, with the robust design producing wider beams and better coverage across uncertainty regions (Chen et al., 5 Jun 2026, Liu et al., 22 Aug 2025, Gavras et al., 29 Apr 2025).
6. Cross-layer directions, sector-specific demands, and unresolved problems
Current open problems extend beyond beamforming. One set of directions emphasizes passive target or Eve classification through high-resolution joint angle/Doppler processing, cross-layer security frameworks that harmonize PHY security, MAC-layer authentication, and network-layer trust management, lightweight key management based on ephemeral physical-layer secret keys derived from radar echoes, AI-driven secure beamforming via reinforcement learning, and information-theoretic privacy metrics for environment and target data (Su et al., 19 Mar 2025).
A broader taxonomy identifies additional unresolved issues: quantum resilience, including bounded-latency quantum-safe key establishment; AI hardening through certified robustness radii for anomaly detectors; privacy-preserving sensing through PETs such as DP and PML and possibly real-time homomorphic processing; incomplete characterization of 6 under active adversaries; and still-nascent cross-layer orchestration protocols for distributed ISAC security (Thapa et al., 4 Jan 2026).
Sector-specific demands sharpen these requirements. In smart grids, deceptive jamming on PMU radar can induce phantom voltage readings; in intelligent transportation, target spoofing and V2X cross-node spoof cascades dominate; in healthcare, the threats include spoofing vital-sign estimates and passive location or biometric eavesdropping; and in UAV, industrial, and smart-city settings the literature emphasizes secure flight-control channels, low-CRB localization, zero-trust edge, consent logs, and privacy metrics (Thapa et al., 4 Jan 2026). Related V2X work argues that sensing interference and coupling interference should be treated as first-class design variables in Secure-ISAC, rather than relying only on communication interference (Yu et al., 2023).
Low-altitude security has emerged as a particularly explicit application domain. ISAC has been proposed there as a full-stack system combining cellular sensing coverage, multi-BS fusion, AI-based feature extraction and intent inference, dynamic trust authentication, and real-time collaborative control for low-altitude, slow-speed, small-size targets in airspace below 7 km. This suggests that secure ISAC may develop not only as a PHY-security topic but also as an operational trust infrastructure for future wireless-regulated environments (Ren, 20 Jan 2026).
A recurring misconception is that secure ISAC is equivalent to secure communication with an added radar function. The literature instead shows that message confidentiality, sensing privacy, beampattern control, estimation accuracy, and latency are jointly coupled because the same signal carries both functions and because unauthorized inference may target either the message or the sensed environment. For that reason, secure ISAC is increasingly studied as an end-to-end problem spanning physical-layer design, edge/cloud architecture, trust management, and sector-specific governance (Su et al., 19 Mar 2025, Welling et al., 27 Apr 2026).