Electromagnetic interference (EMI) affects circuits by inducing voltages on conductors. Analog sensing of signals on the order of a few millivolts is particularly sensitive to interference. This project aims at measuring and understanding the susceptibility of analog sensor systems to signal injection attacks by intentional, low-power emission of chosen electromagnetic waveforms. We are developing defense mechanisms by leveraging actuators in the system to probe for ground truth and reduce the risks.
In an EMI signal injection attack, the adversary manipulates the input to the device by emitting chosen electromagnetic waveforms. On the victim's receiving circuit, it is then hard to determine if a waveform on its conducting traces is due to the real signal or an induced chosen waveform. As a result, the sensor readings may not reflect the actual physical parameter being measured and this may affect the decision making process.
The EMI signal injection attacks can happen in two ways. First, the chosen signal can be at the same frequency as the physical parameter the sensing circuit is designed to measure, as illustrated in the middle row in the figure. In the devices we studied, those frequencies are in the Very Low Frequency (VLF) and Extremely Low Frequency (ELF) range of the electromagnetic spectrum, with corresponding wavelengths in the order of several kilometers or more. The mismatch between the victim’s circuit size and the wavelength can be compensated with increased power.
The second way to inject a signal, if low pass filters are not used, is to send the chosen waveform combined with a high frequency carrier as shown in the bottom row of the figure. The components inside the sensing circuit can demodulate the signal if the carrier is chosen carefully.
Our defenses include monitoring the surrounding electromagnetic fields for conditions that could support EMI signal injection, and developing system level probes to determine the trustworthiness of the incoming signal.
Injection of voice signals.
Injection of DTMF signals.
Chapter in , Ph.D. thesis, , In (), Tech report , , (), , . . .