Ghost Talk

Mitigating Electromagnetic Interference Signal Injection Attacks against Analog Sensors

Overview

Analog sensors may be vulnerable to baseband or modulated signals that can dominate the actual reading.
Analog sensors may be vulnerable to baseband or modulated signals that can dominate the actual reading after automatic gain control and amplification. Top row: The real signal. Middle row: Baseband signal injection and result after amplification. Bottom row: Modulated signal injection and result after amplification.

Our 2013 Oakland paper on electromagnetic interference appears here.

Electromagnetic interference (EMI) affects circuits by inducing voltages on conductors. Analog sensing of signals on the order of a few millivolts is particularly sensitive to interference. This project aims at measuring and understanding the susceptibility of analog sensor systems to signal injection attacks by intentional, low-power emission of chosen electromagnetic waveforms. We are developing defense mechanisms by leveraging actuators in the system to probe for ground truth and reduce the risks.

In an EMI signal injection attack, the adversary manipulates the input to the device by emitting chosen electromagnetic waveforms. On the victim's receiving circuit, it is then hard to determine if a waveform on its conducting traces is due to the real signal or an induced chosen waveform. As a result, the sensor readings may not reflect the actual physical parameter being measured and this may affect the decision making process.

The EMI signal injection attacks can happen in two ways. First, the chosen signal can be at the same frequency as the physical parameter the sensing circuit is designed to measure, as illustrated in the middle row in the figure. In the devices we studied, those frequencies are in the Very Low Frequency (VLF) and Extremely Low Frequency (ELF) range of the electromagnetic spectrum, with corresponding wavelengths in the order of several kilometers or more. The mismatch between the victim’s circuit size and the wavelength can be compensated with increased power.

The second way to inject a signal, if low pass filters are not used, is to send the chosen waveform combined with a high frequency carrier as shown in the bottom row of the figure. The components inside the sensing circuit can demodulate the signal if the carrier is chosen carefully.

Our defenses include monitoring the surrounding electromagnetic fields for conditions that could support EMI signal injection, and developing system level probes to determine the trustworthiness of the incoming signal.

Videos:

Injection of voice signals.

Injection of DTMF signals.

Support

This publication was made possible by the following funding sources.
  • Cooperative Agreement No. 90TR0003/01 from the Department of Health and Human Services. Its contents are solely the responsibility of the authors and do not necessarily represent the official views of the HHS.
  • The Sloan Research Fellowship
  • The University of Minnesota Doctoral Dissertation fellowship
  • The Korean government (MEST) National Research Foundation (NRF) No. 2012-0000979
  • The Harvard Catalyst/Harvard Clinical and Translational Science Center MeRIT career development award
  • The National Science Foundation awards CNS- 1035715, CNS-0845671, CNS-0923313, GEO-1124657, and S121000000211. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.