Detection of Electromagnetic Interference Attacks

on Sensor Systems
Youqian Zhang Kasper Rasmussen
University of Oxford University of Oxford
[email protected] [email protected]

Abstract—Sensor systems are used every time a micro- our infrastructure and modern life in general, and hence it is
controller needs to interact with the physical world. They are essential to be concerned with the security and correctness of
abundant in home automation, factory control systems, critical sensor measurements.
infrastructure, transport systems and many, many other things.
In a sensor system, a sensor transforms a physical quantity into
In a sensor system, a sensor transforms a physical quantity
an analog signal which is sent to an ADC and a microcontroller into an analog signal which is sent to a microcontroller. Without
for digitization and further processing. Once the measurement is an authentication scheme, the microcontroller has no choice
in digital form, the microcontroller can execute tasks according but to trust the measurement. The wire that connects the
to the measurement. Electromagnetic interference (EMI) can sensor to the microcontroller is subject to electromagnetic
affect a measurement as it is transferred to the microcontroller.
An attacker can manipulate the sensor output by intentionally
interference (EMI). An attacker can use EMI to remotely,
inducing EMI in the wire between the sensor and the micro- using easily available radio equipment, inject an attacking
controller. The nature of the analog channel between the sensor signal into the sensor system and change the sensor output,
and the microcontroller means that the microcontroller cannot regardless of the sensor type. We cover this process in detail
authenticate whether the measurement is from the sensor or the in Section II. As a result, the attacker can manipulate the
attacker. If the microcontroller includes incorrect measurements
in its control decisions, it could have disastrous consequences.
microcontroller into believing that a measurement was obtained
We present a novel detection system for these low-level by the legitimate sensor. For example, an air conditioner
electromagnetic interference attacks. Our system is based on can adjust the temperature of the air according to the room
the idea that if the sensor is turned off, the signal read by the temperature. Suppose an attacker remotely sends an attacking
microcontroller should be 0V (or some other known value). We signal to hold the sensor output at a level that corresponds
use this idea to modulate the sensor output in a way that is
unpredictable to the adversary. If the microcontroller detects
to a low temperature, the air conditioner is deceived into
fluctuations in the sensor output, the attacking signal can be continuously expelling hot air. As a result, the room becomes
detected. Our proposal works with a minimal amount of extra warmer and warmer. This might seem rather harmless, but a
components and is thus cheap and easy to implement. similar attack can be done to the cooling system of a nuclear
We present the working mechanism of our detection method power plant, or the pitch control of a fly-by-wire helicopter.
and prove the detection guarantee in the context of a strong
To protect a sensor system from attacks, existing defense
attacker model. We implement our approach in order to detect
adversarial EMI signals, both in a microphone system and a strategies such as shielding and EMI filters have been well
temperature sensor system, and we show that our detection studied. Although shielding and EMI filters can significantly
mechanism is both effective and robust. attenuate EMI, they do not fully block interference, nor do they
provide the system with an ability to detect an attacking signal.
I. I NTRODUCTION In this paper we propose a novel defense method to detect an
A sensor is an interface between the physical world and an attack. Our method is based on the idea that when the sensor
electronic circuit, and it is the device that can convert physical has its power switched off, the output of the sensor should be
quantities such as temperature, gravity, and sound into electrical “quiet”. If an attacking signal is maliciously induced into the
signals in the form of analog voltages. Sensors are widely sensor system during the “quiet” period, the microcontroller
applied in our daily lives. For example, in our smartphones, can detect this.
an ambient light sensor measures light so that the brightness We summarize our contributions as follows:
of the screen can be adjusted accordingly; an accelerometer • We propose a novel method to detect EMI attacks by
can monitor motion of the smartphone, and thus the phone can modulating the sensor power, and monitoring the output.
track user’s steps. A microphone is also a sensor that collects • We analyze the security of the detection method and prove
audio signals such as voice commands. Sensors can also be that our method can be bypassed only with a negligible
found in critical applications such as automobiles and nuclear probability.
plants. For example, a light detecting and ranging (LiDAR) • We deploy the detection method on an off-the-shelf
sensor helps the automobile to see the surroundings, and a microphone module as well as a thermistor, to demonstrate
temperature sensor can monitor a temperature of a cooling the feasibility and robustness of discovering an attacking
system of a nuclear reactor. Sensors are highly integrated into signal for both constant and non-constant signals.
 In this paper, we focus on low-power EMI attacks, in which
the attacker manipulates the sensors of a victim to report the
values that the attacker wishes. Examples of low-power EMI
attacks can be found in prior work [10], [14], [16], [24].
To change sensor readings successfully, the attacker relies on
Fig. 1: A sensor system consists of a sensor and a micro- two features of a sensor system: one is that the wire connecting
controller. the sensor and the microcontroller acts as an unintentional
antenna; the other one is nonlinearity of electronic components
or undersampling of an ADC. The attacker’s objective is adding
In the following sections, we first briefly present some a malicious signal to the sensor output. The attacker generates
background on EMI attacks and explain how to remotely an attacking signal by modulating a high-frequency carrier
inject a malicious signal into a sensor system in Section II. In signal. This signal is picked up by the wire connecting the
Section III, we present an overview of our detection scheme and sensor to the microcontroller and will cause the microcontroller
introduce the system and adversarial model. In Section IV, we to read a false value [9], [11], [16], [24]. Many researchers,
present in detail how our defence method works and we analyze including [7], [8], [10], [14], [16], [21], [27], [29], [30], exploit
the security of the method. Then, in Section V, we show how the nonlinearity of electronic components to inject arbitrary data
to still maintain some security guarantee even if the measured into sensors. This data can be amplitude, frequency or phase
quantity becomes non-constant (in the measuring period). modulated (AM, FM, or PM) onto the carrier. By injecting
Implementations of the detection method in a microphone a signal with a frequency that exceeds the sampling rate of
system and a temperature sensor system are described in the ADC, the ADC will undersample the attacking signal at
Section VI. We discuss a few additional points in Section VII a specified interval and skip high-frequency oscillations [16],
and summarize related work in Section VIII. Finally, the whole [17]. This means that the ADC can be abused to work as a
work is concluded in Section IX. demodulator for the attacking signal. As a result, the malicious
II. BACKGROUND ON E LECTROMAGNETIC I NTERFERENCE signal is superimposed with the legitimate sensor output.
ATTACK AGAINST SENSOR SYSTEM
III. O UR A PPROACH
In recent years, sensor systems have been widely deployed
In this section, we briefly introduce three classes of sensors
in different applications such as smart devices and automobiles.
on which our method is effective before explaining the core
Attackers can exploit electromagnetic interference (EMI) to
idea of our approach. The details of our defence scheme, and
modify sensor readings, and such attacks may threaten users’
a careful security analysis are presented in Section IV. In this
privacy and safety. In this section, we show a general model
section we also, present the system- and adversarial models.
of sensor systems, and we explain how to inject a malicious
We classify sensors into three main types: active sensors,
signal into the sensor system remotely.
powered passive sensors, and non-powered passive sensors.
A. A Model of Sensor Systems An active sensor consists of an emitter and a receiver. The
As shown in Figure 1, a sensor system consists of two emitter sends out a signal to be reflected by a measured
essential modules: a sensor and a microcontroller. The sensor entity, and the receiver gathers information from the reflected
outputs a measurement to the microcontroller through a signal. Examples of active sensors are ultrasonic sensors and
wire. An attacker can interfere with the sensor output by infrared sensors. A powered passive sensor or a non-powered
injecting an attacking signal into the sensor system (see passive sensor has no emitter, and the sensor directly senses
details in Section II-B). When the attacking signal enters the the physical phenomenon such as vibration or radiation of the
sensor system, it is superimposed with the sensor output. The measured entity. A powered passive sensor needs an external
malicious sensor output is digitized by an analog-to-digital excitation signal or a power signal when it works. Examples
converter (ADC) in the microcontroller, and finally, an incorrect of such sensors are microphones, light dependent resistors, and
digitized sensor output is processed by the microcontroller. thermistors. A non-powered passive sensor does not need any
external power signal. When the non-powered passive sensor is
B. Injecting Malicious Signals into Sensor Systems exposed to an entity that is expected to be measured, the sensor
EMI attacks can be categorized into two types: high-power generates an output, which can be a voltage signal or a current
EMI attacks and low-power EMI attacks. The high-power EMI signal. Sensors such as piezoelectric sensors, photodiodes, and
attacks refer to disruption, jamming and burning to the victim thermocouples are non-powered passive sensors. Our approach
system. Sabath [22] summarizes a series of criminal uses of modifies the way that the powered/non-powered passive sensor
high-power EMI tools that result in degradation or loss of works; since the receiver of an active sensor is a powered/non-
the main function of the victim’s system, where technical powered passive sensor, our approach also works for the active
defects, economic losses, and disasters occur. Various defense sensor. To simplify our exposition, in the rest of the paper, we
methods against the high-power EMI attacks have been studied use the powered passive sensor as an example to explain our
thoroughly in previous studies [1], [2], [4], [12], [15], [18], approach. In Section VII-C, we will further illustrate how to
[19], [28]. suit our approach to the non-powered passive sensor. Unless
 clock cycle (see Figure 2). In our approach, the Manchester
encoded code is encoded from an n-bit randomized secret
sequence of zeros and ones. Because the secret sequence is
randomized, the sensor is switched on and off randomly, and
hence the sensor output has a randomized on-and-off pattern. In
our approach, we assume that the physical quantity is constant
(see details in Section III-B). Since the physical quantity is
constant, as shown in Figure 2, the waveform of the sensor
output is similar to the Manchester encoded code.
A built-in ADC digitizes the sensor output, and the micro-
controller decides whether an attack occurs by checking the
digitized sensor output. As shown in Figure 2, the secret
Fig. 2: An n-bit (n = 4) secret sequence of zeros and ones sequence has n bits, and thus the Manchester encoded code
is converted to a Manchester encoded code, which is toggled has n clock cycles. Accordingly, the sensor output has n clock
between a high voltage level and a low voltage level (0 V). The cycles. We define each clock cycle of the sensor output as a sub-
sensor output carries the information of the physical quantity measurement, and all n sub-measurements form a measurement.
and the noise. After digitization, a digitized signal is obtained. Further, each sub-measurement is digitized into two samples by
the ADC: one is sampled when the sensor is biased at the high
voltage, and the value of the sample is non-zero volt; the other
otherwise stated, sensor/sensors represent powered passive sample is digitized when the sensor is biased at 0 V, and the
sensor/sensors hereafter. value of the sample is 0 V. The microcontroller can align the
digitized signal with the secret sequence precisely, and hence,
A. Randomized Sensor Output given any sample, the microcontroller knows whether it should
Before introducing our approach, we briefly recap how an be zero or non-zero. Hereafter, based on the microcontroller’s
attacker can change a sensor output of a sensor system. A knowledge of the secret sequence, a sample that should be
sensor system consists of two essential modules: a sensor and non-zero is called as a “non-zero sample”, and a sample that
a microcontroller (see details in Section II-A). The sensor should be zero is called as a “zero sample”.
readings are transmitted to the microcontroller through a Under an attack, either a zero or a non-zero sample in a
wire connecting the output of the sensor and the input of sub-measurement can be influenced by the attacking signal.
the microcontroller. Unfortunately, the wire is sensitive to If the attacker alters a zero sample, the microcontroller can
electromagnetic interference (EMI), and EMI can affect the spot the attack immediately, as the voltage level of the zero
sensor system by inducing voltages on the wire. An attacker sample is not 0 V. Conversely, if the attacker alters a non-zero
can utilize the wire to inject an attacking signal into the sensor sample, she will also be detected quickly. This is because
output to change the sensor readings. that the physical quantity should remain unchanged during
We turn the sensor on and off. Turning on means that the a measurement, and all non-zero samples should be equal;
sensor is biased at a high voltage; turning off means that the however, the changed non-zero sample has a different voltage
sensor is biased at 0 V (or other known voltage levels). When level from the other non-zero samples, and hence the attack is
the sensor is on, the sensor measures the physical quantity detected. Our detection approach are detailed in Section IV.
and the sensor output carries the information of the physical If the sensor system does not detect any attacking signal, the
quantity. As the sensor is off, the sensor output becomes a quantification of the physical quantity is the value of a non-zero
constant signal at a specific voltage level. Suppose that the sample. In practice, noise must be considered. As shown in
attacker injects an attacking signal to the sensor system when Figure 2, since the sensor output is noisy, the non-zero samples
the sensor is off, a disturbance will appear in the flat sensor vary slightly in a small range. Thus, the quantification is an
output. The microcontroller can easily detect such disturbances, average of all non-zero samples. To simplify the exposition,
and hence the attacking signal is discovered. If the sensor noise is ignored in Section IV and Section V. How to handle
system can randomly turn off the sensor, the attacker has to noise will be detailed in Section VI.
guess when the sensor is off so that she can avoid sending an Note that researchers [26] have proposed a defense strategy
attacking signal to the sensor system; otherwise, a mistake of named PyCRA, which detects sensor spoofing attacks by
causing an uneven sensor output when the sensor is off will turning off the emitter in an active sensor. Details of the working
directly unveil the attacker herself to the sensor system. principle of PyCRA and a comparison between our approach
We require that the microcontroller can measure the physical and PyCRA are presented in Section VII-D.
quantity and monitor the attacking signal by turns, and hence
the sensor should be switched between the on and the off states. B. System Model
We use a Manchester encoded code [3] as the bias voltage Figure 3 presents a system model of the sensor system that
for the sensor, because the Manchester encoded code toggles is equipped with our detection method. The system model
between a high voltage level and 0 V at the midpoint of each consists of a sensor and a microcontroller. The sensor is driven
Fig. 3: A sensor system that is equipped with the detection method consists of a sensor and a microcontroller. The bias voltage
of the sensor is controlled by the microcontroller. In the attack signal detector, unequal non-zero samples imply an attack. Also,
a changed zero sample indicates an attack.

by a bias voltage that is controlled by the microcontroller. our detection method, it is essential to ensure that the physical
An output of the sensor is used to send a measurement to the quantity is unchanged within the n clock cycles.
microcontroller, which checks the existence of attacking signals
and recovers the physical quantity from the measurement. C. Adversarial Model
The objective of the attacker is manipulating the waveform
The microcontroller has three blocks including a bias voltage
of the sensor output without being detected by the sensor
generator, an ADC, and an attack signal detector. The bias
system. We suppose that the attacker cannot access the sensor
voltage generator encodes an n-bit secret sequence into a
system physically. Also, we assume that the attacker has no
Manchester encoded code, which is the bias voltage for the
information about the n-bit secret sequence. Given any sub-
sensor. The ADC digitizes the sensor output and transmits the
measurement, we assume that the attacker knows voltage levels,
digitized data to the attack signal detector to check whether
but she does not know whether the voltage level transitions
an attacking signal exists. The attack signal detector has
from the high voltage to 0 V or from 0 V to the high voltage
two outputs: value represents a measurement of the physical
in the midpoint of the sub-measurement (see Figure 2). Thus,
quantity; valid indicates whether value is ready to be read. If
the attacker has to guess the direction of the voltage level
no attacking signal is detected, the measurement is assigned to
transition in each sub-measurement. Moreover, the attacker
value, and then valid is set to true. Hence the sensor system
can deliberately inject a crafted signal into the sensor system,
knows that value is valid to be further processed. However, if
and hence the attacker can change the waveform of the sensor
an attacking signal is detected in a measurement, valid is set
output as she wishes. Also, the attacker knows when the sensor
to false throughout that measurement, which means that value
module starts and stops transmitting the measurement, and she
is invalid to be read. Also, the microcontroller will be alerted
can align the crafted signal with the sensor output precisely.
that the sensor system is under an attack.
In our system model, we assume that the physical quantity IV. ATTACK D ETECTION
remains unchanged in a measurement. Even though the physical After receiving the digitized sensor output, the attack signal
quantity varies, if the duration of a measurement is short detector aligns it with the corresponding secret sequence. As
enough, we can also regard the physical quantity as constant. shown in Figure 2, each digit in the secret sequence corresponds
An example of a constant physical quantity is room temperature. to two samples in the digitized sensor output. A digit 1 means
The temperature changes slowly over a long period; however, that the corresponding two samples are zero and non-zero in a
in a short time such as 0.01 s, the temperature is unchanged. consecutive order; a digit 0 indicates a non-zero sample and a
For each measurement, the microcontroller generates n-bit zero sample in a consecutive order. Thus, the microcontroller
secret sequence, and accordingly, the Manchester encoded code knows the order of all samples. When no attacking signal
has n clock cycles. Two samples are digitized from each clock exists, the digitized sensor output satisfies two requirements:
cycle or sub-measurement, and hence the sampling rate of the 1) All non-zero samples are equal.
ADC is two times larger than the clock rate of the Manchester 2) All zero samples are zero.
encoded code. In practice, the sampling rate of the ADC has Once an attack occurs, either sample in a sub-measurement
an upper limit, and thus the clock rate of the Manchester can be altered. The attack signal detector first checks non-
encoded code also has a maximal value, which is a half of the zero samples. As shown in Figure 4, if the attacker only
fastest sampling rate. The shortest duration of n clock cycles is changes several non-zero samples in the measurement, the
determined by the fastest sampling rate of the ADC. To apply signal formed by all non-zero samples become non-constant.
Fig. 4: A sensor output of a constant physical quantity. An (a) A sensor output of a non-constant physical quantity.
attacker shifts one non-zero sample, and the signal formed by
all non-zero samples becomes non-constant.

Unequal non-zero samples imply that an attack occurs. To

bypass the detection, the attacker is forced to increase or
decrease all non-zero samples to the same voltage level. It (b) A digital low-pass filter removes the spikes.
is possible for the attacker to make a mistake and change a Fig. 5: The attacker alters an non-zero sample in the digitized
zero sample. Once a zero sample is altered by the attacker sensor output.
accidentally, the attack will be detected.
After checking the digitized sensor output, if an attack is
discovered, the measurement is discarded. In contrast, if no Therefore, our method can also detect attacks affecting the
attacking signal is detected, a quantification of the physical bias. For simplicity, we only regard the wire connecting the
quantity can be obtained. As it is discussed in Section III-A, the sensor and the ADC as the injection point of an attacking
quantification is the value of a non-zero samples; however, in signal hereafter.
practice, considering the existence of noise, it can be calculated
by averaging all non-zero samples. A. Security Analysis
A smart attacker must guess whether a sample is zero or Only when the attacker changes all non-zero samples without
non-zero. To avoid being detected, the attacker must not affect influencing any zero sample, can she avoid being detected by
any zero sample, and she must alter all non-zero samples to the sensor system. In this section, we prove that the attacker
keep them the same. In Figure 3, we present an example of can bypass our detection method with a negligible probability.
detecting an attacking signal in the sensor system. The attacker For a constant physical quantity, all non-zero samples in
aims to alter the first and the third sub-measurements of the a measurement have the same voltage level. To avoid being
sensor output. In the first sub-measurement, the attacker makes detected by the sensor system, the attacker must change all non-
a correct guess, and a high-frequency signal is added to the zero samples to the same voltage level. Thus, the attacker must
non-zero half cycle. However, in the third sub-measurement, correctly guess the order of the zero and the non-zero samples
the attacker makes a wrong guess and adds the high-frequency in every sub-measurement. There are two combinations of the
signal to the zero half cycle. After digitization, two samples are order of samples in a sub-measurement, and the probability of
shifted up: the non-zero sample in the first sub-measurement correctly guessing the order is 12 . Considering a measurement
and the zero sample in the third sub-measurement. Compared with n sub-measurements, the probability of correctly guessing
with other non-zero samples, the non-zero sample in the the orders is 21n . In other words, the probability of bypassing
first sub-measurement has a different value, and the attack the detection method in one measurement is 21n , which is
signal detector can discover the attack immediately. In the negligible. The larger the n is, the more difficult it is for the
third sub-measurement, the second sample should have been attacker to achieve the attack.
zero; however, it is shifted to a non-zero value, and the
microcontroller can notice the change. As a result, the attacking V. N ON - CONSTANT P HYSICAL Q UANTITY
signal can be detected. In the previous section, we describe our approach regarding
Interfering with the Bias: As described above, the detection constant physical quantities. However, there are physical
method is used to spot attacking signals that are injected into quantities such as sounds that oscillate rapidly; even though the
the sensor system through the wire connecting the sensor output sampling rate of an ADC reaches the maximum, the digitized
and the ADC. However, in practice, the wire controlling the non-zero samples may have different values in a measurement.
bias of the sensor may also be an unintentional antenna. An We call such a physical quantity as a non-constant physical
attacking signal that is injected into this wire may alter the quantity, and an example is shown in Figure 5a.
voltage levels of several specific periods of the Manchester If the attacker affects either a non-zero sample or a zero
encoded code. Further, the corresponding periods of the sensor sample in a constant physical quantity, our approach can detect
output are impacted. For example, some periods that should the attack (see details in Section IV). For a non-constant
have been at a certain voltage level are at other voltage levels; physical quantity, unequal non-zero samples do not indicate
some periods that should have been 0 V are not zero. After an attack anymore. This means that, if the attacker plans to
digitizing the sensor output, the microcontroller may spot that alter one sample only, she can bypass the detection with a
non-zero samples are unequal and some zero samples are lifted. probability of 12 . For example, as shown in Figure 5a, the
attacker wants to affect the third clock cycle: if she changes
the non-zero sample, she succeeds; otherwise, changing the
zero sample still leads to an alert of the attack. Compared with
the detection method for a constant physical quantity, the one
for the non-constant source gives a weak security guarantee.
In order to achieve a strong security guarantee, the sampling
rate of the ADC must be large enough so that the physical
quantity can be regarded as constant, and thus the approach
for a constant source applies.
However, in practice, a sensor system may have to handle
non-constant scenarios subject to multiple limitations (e.g.,
sampling rates of ADCs). Then, it is necessary to revise the
approach for non-constant physical quantities to detect attacks
affecting either non-zero or zero samples. In this section, we Fig. 6: A testbed is built to test a microphone system. A signal
describe the revised method. Also, we show that the negative generator, which is controlled by a computer, provides the
impacts that are caused by attacking signals can be mitigated. microphone module with a bias voltage. An Arduino DUE is
We analyze the security of our detection method. Finally, we used to collect the signal from the microphone module. The
discuss an additional requirement for the ADC. computer is used to analyze the signal.

A. Attack Detection for Non-constant Physical Quantities

1
An attacker can change any numbers of non-zero samples. method is 2k , which is negligible. If k is small, the attacker
Without loss of generality, we assume that the attacker plans to can easily achieve an attack, but the impacts of the modified
change k (1 ≤ k ≤ n) out of n samples. She can achieve the samples are small; while k is large, it is difficult for the attacker
modification without being detected with a probability of 21k to bypass the detection method.
(see details in Section V-B). When a few samples are changed,
as shown in Figure 5a, the modified sample leads to a spike in C. The Sampling Rate of the ADC
the measured signal. Without knowing any information about To ensure that the measurement contains complete informa-
the measured signal, we can do nothing to detect the change. tion of the physical quantity, according to the Nyquist-Shannon
However, if we know concrete characteristics that can describe sampling theorem, the clock rate of the Manchester encoded
the behavior of the non-constant signal, we can recognize code should be at least twice larger than the bandwidth of the
modified samples as outliers. As depicted in Figure 5b, if we non-constant physical quantity. Since the sampling rate of the
know the bandwidth of the measured signal, we can recognize ADC is twice larger than the clock rate of Manchester encoded
the sample that causes a spike beyond the band as an outlier. code, the sampling rate is at least four times larger than the
Moreover, if we have a model of the measured signal, we bandwidth of the physical quantity.
can recognize the sample that fails to fit the model as an
outlier. Despite that a few modified samples form spikes in the VI. I MPLEMENTATION
measured signal, the major information of the physical quantity
may be still retained. For example, regarding an audio signal, In this section, we implement our approach on two sensor
a spike in the measured signal sounds like a chirp; however, a systems: a microphone system (see Section VI-A) and a
listener can still understand the information that is conveyed in temperature sensor system (see Section VI-B). In each sensor
the audio signal. A digital low-pass filter can be used to filter system, we first show how an attacker can remotely modify
out the spike so that the negative impacts can be mitigated. sensor readings by EMI, and then we present the effectiveness
and robustness of our detection method.
If the attacker changes many samples, the modified samples
dominate, and she may bypass the detection of outliers.
A. Microphone System
However, the probability of avoiding affecting zero samples is
1
2k
, which exponentially decreases with the number of samples A microphone can convert sound into an electrical signal. At
that the attacker wishes to change. Therefore, changing more present, microphones can be found in many different devices
samples increases the difficulty of bypassing the detection. such as smartphones, headphones, and laptops. In a microphone
system, a wire is used to connect a microphone module and
B. Security Analysis a microcontroller, and hence the attacker can exploit the wire
We have assumed that the attacker plans to change to inject an attacking signal into the microphone system.
k (1 ≤ k ≤ n) out of n non-zero samples. When k = n, the For example, an attacker can inject voice commands into a
probability of bypassing the detection method is the same as smartphone through EMI, and the voice assistant system can
the one for a constant physical quantity. When 1 ≤ k < n, be asked to execute malicious tasks in the smartphone. Note
the attacker needs to guess the orders of samples in k sub- that human cannot hear any EMI, and hence the user cannot
measurements. The probability of bypassing the detection notice the attacking signal.
Fig. 7: One 1 kHz signal is the sound, and the other 1 kHz
signal is from the attacker, who injects the 1 kHz malicious
signal into the microphone system by EMI. The similarity of
these two signals is above 0.93.

1) Setup: In Figure 6, the setup of the microphone system

is presented. The microphone system consists of a computer, a
signal generator, an off-the-shelf microphone module, and an Fig. 8: Measure the bound of zero samples and the time of
Arduino DUE. The computer controls a RIGOL DG4062 signal the signal edges by an oscilloscope with a sampling frequency
generator to generate a bias voltage for the microphone. The of 2 GHz.
microphone converts the sound into a voltage signal, which is
further amplified by the amplifier. The output of the amplifier is
biased at 1.65 V. Then, the output of the microphone module is
digitized by a built-in ADC in the Arduino DUE at a sampling
rate of 666.8 kHz. Next, the Arduino DUE sends the digitized the speaker, and an attacking signal, which is generated by
data to the computer through a serial port. Finally, we can use modulating the 1 kHz malicious signal on a 144 MHz carrier
the computer to analyze the digitized signal. signal, is emitted through the antenna at −5 dBm. The attacking
Note that the sampling rate we choose is higher than the signal is demodulated by the nonlinear electronic components
minimum theoretical sampling rate required. According to (e.g., amplifiers and ADCs) in the microphone system, and a
Section V-C, the sampling frequency should be at least four 1 kHz digitized malicious signal is obtained.
times larger than the bandwidth of the physical quantity. Since In Figure 7, two 1 kHz signals that are reconstructed by the
the microphone in our experiment can measure up to 20 kHz, computer are presented: one is the signal from the speaker; the
the sampling frequency is 80 kHz in theory. However, in other one is induced by the attacker. It can be observed that,
practice, we need to consider samples that are digitized from without our detection method, it is difficult to tell whether a
signal edges, and hence the sampling rate is higher than the received signal is from the speaker or the attacker: both the
theoretical one. Details are discussed in Section VI-A3. sound and the malicious signal are 1 kHz, and they have similar
There are two signal sources: one is a legitimate sound amplitudes. It is known that Pearson’s correlation coefficient
from a speaker of a Motorola XT1541 Moto G3 smartphone, (PCC) can be used to measure the linear correlation of two
and the other is an attacking signal from the attacker. The signal [5], [23], and PCC is a suitable metric to show the
attacker uses an R&S SMC 100A signal generator to amplitude- similarity of two signals in our experiments. The PCC of the
modulates a malicious signal on a 144 MHz carrier signal 1 kHz audio signal and the 1 kHz malicious signal is above
to form the attacking signal. Then, the attacking signal is 0.93, which means that these two signals have a high similarity.
radiated through a 144 MHz omnidirectional vertical antenna. Above all, the attacker can control the output of the microphone
The reason why 144 MHz is chosen as the carrier frequency of system and deceive the microcontroller.
the attacking signal is that, by experiment, the 144 MHz signal
can be received by the unintentional antenna in the microphone 3) Applying the Detection Method: From the experimental
module effectively. Both the antenna and the speaker are placed results above, the microphone system may regard the malicious
10 cm away from the microphone module. signal as the legitimate audio signal. In this part, we illustrate
2) Without the Detection Method: Without the detection how to deploy the detection method to the microphone system
method, the microphone system cannot determine whether the to detect the attacking signal.
signal is legitimate or malicious. In the following parts, we
will show that the attacker can remotely inject a malicious When the detection method is applied to the microphone
signal that is similar to the audio signal into the microphone system, the computer repeatedly transmits a secret sequence of
system. [1100] to the signal generator, and the signal generator encodes
The signal generator is configured to output a constant the secret sequence into a Manchester encoded code with a
300 mV signal, and thus the microphone is biased at 300 mV. clock rate of 40 kHz. The Manchester encoded code toggles
We first play a 1 kHz audio signal through the speaker of the between 0 mV and 300 mV. Note that the bias voltage is for the
mobile phone at the maximal volume. Next, we turned off microphone, which is denoted as “Mic” in Figure 6, instead of
the amplifier1 . In Figure 8, without any audio signal or attacking TABLE I: Detection results of Case 2 and 3.
signal, we present the output of the microphone module that is Case Attacking Signal
Sound True-positive Rate
captured by a RIGOL DS2302A Digital Oscilloscope, which No. (modulating signal, carrier)
2 - (1 kHz, 144 MHz) 100%
has a sampling frequency of 2 GHz. 3 1 kHz (5 kHz, 144 MHz) 100%
When the computer receives the digitized signal from the
Arduino DUE, three practical challenges in the microphone
system need to be considered before checking the existence Figure 9a, the amplitude envelope that is formed by non-
of an attack. The first challenge is synchronizing the digitized zero samples of the digitized sequence represents the 1 kHz
signal with the secret sequence. Each digit in the secret component. Since no attacking signal exists, this case is a
sequence corresponds to one sub-measurement, and the value reference for the following two cases.
of the digit decides the direction of the voltage level transition Case 2: Turn off the speaker, and the attacker transmits
at the midpoint of the sub-measurement. Only if the digitized an attacking signal at −5 dBm. To inject a 1 kHz signal
signal is aligned with the secret sequence precisely will the into the microphone system, the attacking signal is generated
computer knows whether a specific sample is zero or non-zero. by modulating the 1 kHz signal on a 144 MHz carrier. As
In practice, we configure the signal generator so that there Figure 9b shows, it can be noticed that both zero and non-zero
is always a voltage level transition from high to low at the samples carry the information of the 1 kHz signal.
beginning of the first sub-measurement so that we can identify Case 3: Turn on the speaker, and the attacker radiates an
the start point of the digitized signal. Further, it is easy to align attacking signal at the same time. The frequency of the audio
the digitized signal with the secret sequence. signal is still 1 kHz, and volume is unchanged. To insert a
Another practical challenge is how to handle samples from 5 kHz signal into the system, the attacker modulates the 5 kHz
the rising or the falling edges of the output of the microphone signal on a 144 MHz carrier, and the transmission power of
module. The samples from the edge can lead to a false the attacking signal is 0 dBm. As it is shown in Figure 9c, the
positive alert of attack or an inaccurate measurement of the 5 kHz signal dominates in both zero and non-zero samples.
physical quantity. As shown in Figure 8, the time of the In each case, 100 measurements are recorded. Because the
signal edge is τ = 2.45 µs. The sampling period of the ADC physical quantity is non-constant in a measurement, we use
is f1s = 666.81 kHz ≈ 1.50 µs, and hence at most two samples our detection criteria of non-constant physical quantity to
emerge from the signal edge. Also, given the sampling rate check whether an attacking signal exists in each measurement.
and the clock rate, we can find that there are 16 samples in Accordingly, in Case 2 and Case 3, we can calculate the true-
each sub-measurement. Thus, to eliminate the negative impacts positive rate of detecting the attacking signal. The detection
of the edge samples, we remove the first and the last samples results are presented in Table I. In Case 2 and Case 3, the
in each half cycle. computer finds that some zero samples are outside the bounds,
The third practical challenge is determining the voltage and thus the attacking signal can be detected. The true-positive
level of zero samples. Because the output of the microphone rates of detecting the attack are 100% in both Case 2 and Case
module is centered at 1.65 V, the zero samples are shifted 3. The results mean that the attacking signals exist in every
to a non-zero level. As shown in Figure 8, the mean value measurement in these two cases.
of the zero samples is 1.15 V. However, it can be observed Our experiments also show that, when there is no attacking
that the zero samples fluctuate around 1.15 V, and the range signal (Case 1), all zero samples are within the bounds, and
of the fluctuation is ∆V = 0.04 V. Note that ∆V is our detection method does not give any false positive alarm of
also the noise tolerance of zero samples. When there is an attack. Once the attacker accidentally increases or decreases
no attacking signal, the zero samples are within a range the value of the zero sample to a value that is outside the
of [1.15 V − 12 ∆V, 1.15 V + 21 ∆V ] = [1.13, 1.17] V. If a zero bounds (e.g., Case 2 and 3), the attack is detected immediately.
sample is outside [1.13, 1.17] V, the microphone system will Note that, in Case 2 and 3, the attacker initiates “dumb”
be alerted with an attack. attacks, which mean that the attacker does not guess when
After obtaining a measurement from the microphone module, the sensor is on or off. In other words, the dumb attacking
the computer synchronizes the corresponding secret sequence signal affects every sample in the measurement. This is the
with the measurement, and removes samples from edges. Ac- reason why the true-positive rate is 100% for these two cases.
cording to the bounds of zero samples, which is [1.13, 1.17] V, In practice, it is difficult to conduct “smart” attacks that allow
the computer can determine whether an attack occurs in the the attacker to do the guessing and align the attacking signal
measurement. To evaluate the performance of our detection with the sensor output. In the experiment of a temperature
method, we consider the following three cases: sensor system in Section VI-B, smart attacks are simulated
Case 1: A 1 kHz audio signal is played from the speaker from real sensor data.
at its maximal volume, and there is no attacking signal. In 4) Signal Reconstruction: When no attack is detected,
the final step is to recover the physical quantity. Because
1 If the Manchester encoded code is used to bias the amplifier, when the
measurements in Case 2 and 3 are detected with attacking
amplifier is off, an attacking signal that is injected before the amplifier does
not affect the output of the amplifier. This means that attacks that affect zero signals, we cannot recover the physical quantity from these
samples cannot be detected. two cases. In Case 1, no attacking signal is detected, and we can
 (a) Case 1 (b) Case 2 (c) Case 3

Fig. 9: When detection method is applied, (a) the speaker plays a 1 kHz tone; (b) the attacker transmits an attacking signal,
which is generated by modulating 1 kHz signal on a 144 MHz carrier signal at the power of −5 dBm; (c) the attacker transmits
an attacking that is generated by modulating a 5 kHz signal on a 144 MHz carrier signal at a transmission power of 0 dBm,
and the speaker plays 1 kHz tone at the same time.

Fig. 11: A thermistor circuit is a voltage divider. When the

temperature increases, the output voltage of the circuit increases
accordingly.
Fig. 10: Remove zero samples and edge samples to reconstruct
the 1 kHz audio signal. As a comparison, the 1 kHz reference
signal is presented. a negative temperature coefficient (NTC), which means that
the resistance of the thermistor increases with decreasing the
temperature. In order to present experimental results properly,
recover the 1 kHz signal by excluding zero samples and edge we define that the temperature measuring range is from 0.0 ◦C
samples in the measurement. Then, we use a digital second- to 50.0 ◦C, which is within the allowable measuring range of
order Butterworth low-pass filter with a cut-off frequency of the thermistor.
5 kHz to get rid of high-frequency components in the digitized In the following sections, we first introduce the setup of
signal. The recovered 1 kHz signal is shown in Figure 10. As the temperature sensor system. Then, we demonstrate how an
a comparison, we also digitize 1 kHz audio signal with the attacking signal affects a sensor reading. Finally, we show that
same ADC as a reference signal, and it is filtered by the same our detection method can detect the attacking signal.
low-pass filter. The reference signal is depicted in Figure 10. 1) Setup: In Figure 11, we present a diagram of a thermistor
We analyze the quality of the recovered signal in two aspects: circuit. The thermistor circuit is a voltage divider, which is
similarity and Signal-to-Noise Ratio (SNR). As discussed in formed by connecting an NTC thermistor and a resistor in series.
Section VI-A2, PCC can be used to measure the similarity The output voltage of the thermistor circuit increases with
between two signals. We calculate the PCCs between 100 increasing the temperature. We test the thermistor circuit using
recovered signals and the reference audio signal. The averaged the setup shown in Figure 6, and we replace the microphone
PCC in Case 1 is above 0.99, which implies that the recovered module with the thermistor circuit. This setup is placed in
signal is similar to the audio signal in the time domain. a laboratory with a constant temperature at around 25.0 ◦C.
The averaged SNR of all 100 recovered signals in Case 1 Since the room temperature can be regarded as a constant
is 30.6 dB ± 0.1 dB at a 99% confidence level; the SNR of physical quantity, digitized samples that should be non-zero
the reference signal is 29.9 dB. It can be concluded that the are supposed to be approximately equal. The sampling rate
recovered signal has a equivalent quality as the reference signal. is set to 284 Hz, which is much lower than the one in the
microphone system.
B. Temperature Sensor System
The attacking signal has a frequency of 144 MHz, and it is
We use a thermistor to build a temperature sensor system. radiated from a 144 MHz omnidirectional antenna. The antenna
The thermistor is a resistor that varies its resistance according is placed 1 cm away from the thermistor circuit. Note that the
to temperature. In our experiment, we choose a thermistor with distance between the antenna and the thermistor circuit is small
 In the following parts, a reference case (Case 1) is presented,
in which no attacking signal exists. A dumb attack (Case 2) is
conducted on the temperature sensor system, and then a smart
attack (Case 3) is simulated from data that are collected from
Case 1 and 2. In the following parts, the thermistor circuit’s
voltage outputs are converted into temperature. Note that when
the bias voltage is 0 V, the output is also 0 V. Since 0 V
corresponds to a temperature that is beyond the measurement
range of the thermistor circuit, this temperature is denoted as
Tref (see Figure 13).
Fig. 12: The power of attacking signal is increased from Case 1: No attacking signal is radiated from the antenna, and
13 dBm to 19 dBm with a step of 0.5 dBm. Under the attack, the microcontroller records the output of the thermistor circuit.
◦
the temperature is changed from 24.9 C to 37.9 C. ◦ In Figure 13a, a measurement is presented. The measured
temperature is 25.5 ◦C ± 0.1 ◦C.
Case 2: In order to change the sensor reading to a significant
because we want to realize the remote injection with a low high temperature, the antenna radiates an attacking signal with
power of the R&S SMC 100A signal generator. a power of 19 dBm. The microcontroller records the output of
2) Without Detection Method: The thermistor circuit is the thermistor circuit. A measurement is shown in Figure 13b.
biased at 1 V. When no attacking signal is radiated, the Note that such an attack is a dumb attack, as the attacker
temperature sensor system outputs 24.9 ◦C ± 0.1 ◦C at a 99% radiates the attacking signal continuously. The mean of the non-
confidence level. zero samples corresponds to a temperature of 38.3 ◦C ± 0.1 ◦C,
Next, the attacker radiates an attacking signal, and the power which is around 13 ◦C higher than the true room temperature.
of the attacking signal is increased from 13 dBm to 19 dBm The zero samples are lifted to 27.4 ◦C±0.1 ◦C, which indicates
with a step of 0.5 dBm. For each power level, 100 temperature an attack.
measurements are recorded. We calculate the 99% confidence Case 3: (A simulation of a smart attack) The attacker has
interval around the mean of the 100 measurements, and results a fair coin that has a probability of 50% showing a head and
are presented in Figure 12. Below 14 dBm, the attacking signal 50% showing a tail every time it is tossed. The attacker selects
has no significant effect on the temperature measurement. a measurement from Case 1, and each measurement contains
When the power of the attacking signal is increased above 4 clock cycles or 8 half clock cycles (see Figure 13a). For
14 dBm, the temperature measurements increases. The 19 dBm each clock cycle, the attacker tosses the coin to decide whether
attacking signal results in a temperature measurement of to send an attacking signal. A head means that the attacker
37.9 ◦C ± 0.4 ◦C, which is approximately 13 ◦C higher than radiates an attacking signal in the first half cycle and remains
the true room temperature of 24.9 ◦C ± 0.1 ◦C. The curve in silent in the second half cycle. Accordingly, the first half cycle
Figure 12 shows that the attacker can change the temperature is replaced by a half cycle that corresponds to 38.3 ◦C ± 0.1 ◦C
reading of the sensor to any values as she wishes. Without any from Case 2. Conversely, a tail means that the attacker remains
detection method, the temperature sensor system cannot detect silent in the first half cycle and radiates an attacking signal in
the existence of the attacking signal. the second half cycle. Accordingly, the second half cycle is
3) Applying Detection Method: The secret sequence we use replaced by a half cycle that is 27.4 ◦C ± 0.1 ◦C from Case
is also [1100], and the clock rate of the Manchester code is set 2. After tossing the coin for all four clock cycles, we have
to 20 Hz. We use oscilloscope to measure the time of signal a new measurement that is affected by a smart attack (see
edge, and the width of signal edge is around 2 ms. Regarding Figure 13c).
that the sampling period is 2841Hz = 3.5 ms, at most one sample As shown in Figure 13c, except for the third clock cycle, the
is digitized from signal edges. In order to eliminate the negative attacker’s guesses in the other three clock cycles are correct.
influence caused by samples from signal edges, the first and The attacker accidentally radiates the attacking signal during
the last sample in each half clock cycle are abandoned. the second half cycle of the third cycle: the temperature of that
We use the oscilloscope to measure the bound of non-zero half cycle is enhanced from Tref to 27.4 ◦C. After digitization,
samples, which is 0.03 V; the bound of zero samples has the non-zero samples form a non-constant signal, and thus an attack
same value. When no attacking signal is radiated, fluctuations can be detected. Also, since samples that should be Tref in
of non-zero samples are within 0.03 V; note that zero samples the third clock cycle are lifted, the attack is alarmed.
swing between 0 V and 12 × 0.03 V = 0.015 V, as the ADC in In each case, 100 measurements are recorded. In Case 2,
the microcontroller can only read positive voltages. Because the true-positive rate is 100%, which implies that an attacking
the room temperature is a constant physical quantity, we can signal is detected in each measurement. Also, we repeat the
concrete the requirements as follows: simulation of smart attacks 100 times, and the true-positive
• The standard deviation of all non-zero samples is smaller rate is 93%. In theory, since the number of digits of the secret
than or equal to 12 × 0.03 V = 0.015 V. is four, the attacker has a probability of 214 guessing the secret
• All zero samples are within [0, 0.015] V. of each measurement correctly. Among 100 measurements, the
 (a) Case 1 (b) Case 2 (c) Case 3

Fig. 13: Our detection method is deployed to the temperature sensor system, and the outputs of the thermistor circuit are
presented. In (a), no attacking signal exists, and the non-zero samples are approximately equal, which indicates a temperature
of 25.5 ◦C. In (b), a dumb attacking signal is radiated, and the non-zero samples indicate a room temperature of 38.3 ◦C, and
the zero samples corresponds to a temperature of 27.4 ◦C. In (c), a smart attack is simulated, and a wrong guess is made in the
third clock cycle.

expectation of correct guesses is 100

24 . Therefore, the theoretical the sampling rate, although a substantial n may be impractical,
true-positive rate is 1 − 100
24 /100 = 93.75%. The real true- a relatively small n is still effective to prevent an attacker from
positive rate is approximately equal to the theoretical one. bypassing the detection method, and further, the security of
the sensor system is guaranteed.
VII. D ISCUSSION
B. Trade-off between Security and Speed
A. Guaranteeing the Security with Small n for Constant
In some applications, the sampling rate of an ADC is fixed.
Physical Quantities
To increase the security, we can lengthen the duration of one
In Section IV-A, we have discussed that increasing the length measurement, and thus more sub-measurements are included.
of the secret sequence n leads to increasing the difficulty of If the physical quantity keeps constant after lengthening the
bypassing the detection method. A larger n results in a more measurement, the number of sub-measurements that the attacker
secure system. Given a fixed duration of a measurement, a must change increases. As a result, it is more difficult for the
larger n requires a faster sampling rate of the ADC. Because of attacker to change all sub-measurements without being detected.
the hardware limitations, the sampling rate has an upper limit, For non-constant physical quantities, to change the waveform
and thus n also has a maximal value. Although the sampling of the sensor output effectively, the attacker has to alter
rate reaches the highest, it is possible that n is a small number more sub-measurements after lengthening the measurement.
(e.g., n = 8). However, in our detection method, a small n can Consequently, the difficulty of bypassing the detection method
also guarantee the security of the sensor system. also increases. Above all, without changing the sampling rate
For each measurement, the number of combinations of n-bit of the ADC, the security of the sensor system can be further
secret sequence is 2n , and the attacker can find the correct improved at the cost of lengthening the measurement.
secret sequence to bypass the detection method by trying all In summary, to achieve a more secure sensor system, we have
combinations. However, in practice, it is impossible for the to sacrifice the speed, which is either the speed of sampling
attacker to try 2n times, and the attacker has only one chance or the speed of obtaining a measurement. In real applications,
to change the measurement. The probability of successfully designers need to consider the constraints of their sensor
attacking the measurement without being detected is 21n , and systems to choose the proper option to enhance the security.
this means that the expected number of successful attacks in
attacking 2n measurements is only one. In the other 2n − 1 C. Our Approach for Non-Powered Passive Sensors
measurements, the attacking signal is discovered by the sensor In order to deploy our approach to a sensor system with a
system. Imagine that the microcontroller receives 2n −1 invalid non-powered passive sensor, a switch can be added between the
measurements before one valid measurement. Because the sensor output and the ADC. Figure 14 depicts a configuration
2n − 1 invalid measurements imply that the sensor system for the non-powered passive sensor. The microcontroller can
is currently under an attack, the valid measurement is still “turn on” and “turn off” the sensor by controlling the switch.
untrustworthy, and hence the microcontroller rejects to further When the microcontroller “turns on” the sensor, the switch con-
processing the valid measurement. nects the sensor output and the ADC; thus, the microcontroller
In general, we suggest using a large n (e.g., n = 128) to can read the sensor output. When the microcontroller “turns off”
guarantee the security of the sensor system. However, limited by the sensor, the switch disconnects the ADC from the sensor
 generating attacking signals. Because the attacker does not
influence the periods that are used to detect attacks, she will
not be noticed by PyCRA. However, such an attacker cannot
bypass our detection method. In our scenario, the attacker has
full information of the timing as it is assumed in Section III-C.
In other words, our approach allows the attacker to precisely
align the attacking signal with the legitimate sensor output.
Fig. 14: A switch that is controlled by the microcontroller is Even so, the attacker still must guess whether the sensor turns
added between the output of the sensor and the ADC. on or off, and a wrong guess will expose the attacker herself
to the sensor system.
Regarding the threat model, in our approach, the attacker
output. When the ADC is disconnected from the sensor output, can stay far away from the sensor system, as the attacker uses
in order to ensure that inputs to the ADC settle at a specific EMI to remotely interfere with the sensor readings. In PyCRA,
level, the ADC should be connected to a reference voltage. the attacker must stay in a specific area near the sensor system
Note that the switch must be installed very close to the and the measured entity so that she can capture the challenge
sensor output. The wire between the switch and the ADC must signal and produce a malicious reflected signal. Therefore, our
act as an unintentional antenna so that the security is the same approach has a stronger threat model.
as powered passive sensors. Otherwise, if the wire between For the working principle, our method detects attacks by
the switch and the sensor output is long enough, this wire may examining both non-zero and zero samples; however, PyCRA
work as an unintentional antenna, which is also an injection monitors attacking signals by checking zero samples only. In
point. When the ADC is disconnected from the sensor output, other words, PyCRA cannot recognize attacks affecting non-
the readings of the ADC will not be affected by the attacking zero samples.
signal. Since the zero samples will not be affected by the
VIII. R ELATED W ORK
attacking signal, no attack will be detected.
Recent work on the defense methods against the low-
D. Difference between PyCRA and Our Approach power EMI attacks can be classified into three categories:
Shoukry et al. [26] proposed a generalizable sensor spoofing hardware methods, software methods, and hybrid methods.
detection method named PyCRA for sensors such as ultrasonic The hardware methods use specific materials or electronic
sensors and infrared sensors, which consist of emitters and components to mitigate attacking signals. There are several
receivers. As described in Section III, the emitter sends a common strategies such as shielding, differential comparators,
challenge signal to the measured entity, and the receiver gather and filters. Regarding shielding, specific materials are used to
information from the reflected signal. In a spoofing attack, an dampen the received electromagnetic radiation. Shielding is
attacker manipulates the reflected signal. To detect such attacks, recommended in previous studies [14], [16], [20]. Additionally,
PyCRA turns off the emitter randomly, and hence the receiver we can use a differential comparator to remove the common
should receive nothing during the shutdown of the emitter; if mode interference in the sensor signal and ground, and thus the
a reflected signal is received when the emitter is off, an attack attacking signal can be mitigated. Also, a low-pass filter can
is detected. attenuate the signal outside the sensor’s baseband, and hence
Our approach differs from PyCRA in the following as- the attacking signal at high-frequency band can be filtered
pects. In this paper, we show that our approach works out. However, researchers [13] presented that the parasitics in
for powered/non-powered passive sensors. Because the surface mount components convert the low-pass filter into a
powered/non-powered passive sensors are the receivers of active band-stop filter, which allows the attacking signal to pass. In
sensors, our approach also applies to the active sensors. Hence, order to solve this problem, an alternative is using an EMI
our approach is applicable to all three types of sensors that we filter. Although these methods effectively attenuate attacking
define in Section III. In PyCRA, since an emitter is necessary, signals, they do not have the function of detection.
this method is designed for active sensors only. Thus, our The software methods detect or attenuate the attacking
approach outperforms PyCRA as our approach covers two signal by examining the measurement at a software level. The
more types of sensors. microcontroller knows the model of the measurement, and
PyCRA counts on the secrecy of the timing of voltage level anomalies found in the measurement may imply the existence
changes in the challenge signal. In PyCRA, for an attacker in of an attacking signal.
real life, there is a non-zero physical delay between capturing A hybrid method is a combination of hardware methods
the challenge signal and radiating an attacking signal. This and software methods. In hybrid methods, microcontrollers
means that the attacker cannot align the attacking signal with handle attacking signals through specific channels. Researchers
the reflected signal. Researchers [25] showed that PyCRA could [16] proposed that a specialized component in the victim
be entirely bypassed: suppose that the attacker has a faster device could be chosen to capture the attacking signal. The
sampling rate than the sensor system, when the challenge signal captured attacking signal can be an input to an adaptive noise
starts falling, the attacker can quickly spot the change and stop canceling system (which can be realized in software), and
hence the victim system can attenuate the attacking signal in [7] J. Gago, J. Balcells, D. GonzÁlez, M. Lamich, J. Mon, and A. Santolaria,
the sensor signal. Also, they showed that the microcontroller “EMI susceptibility model of signal conditioning circuits based on opera-
tional amplifiers,” IEEE Transactions on Electromagnetic Compatibility,
in a cardiac implantable electrical device (CIED) could use vol. 49, no. 4, pp. 849–859, 2007.
its direct connection to the cardiac tissue to discern between [8] H. Ghadamabadi, J. J. Whalen, R. Coslick, C. Hung, T. Johnson, W. Sitz-
a measured signal and an induced signal. Fujimoto et al. [6] man, and J. Stevens, “Comparison of demodulation RFI in inverting
operational amplifier circuits of the same gain with different input and
proposed a detection method against the attacking signal in feedback resistor values,” in 1990 IEEE International Symposium on
the cryptographic integrated circuit by monitoring the built- Electromagnetic Compatibility. IEEE, 1990, pp. 145–152.
in voltage variation of the power supply using the on-chip [9] I. Giechaskiel and K. B. Rasmussen, “Taxonomy and challenges
of out-of-band signal injection attacks and defenses,” arXiv preprint
voltmeter. These hybrid methods are devised for specific arXiv:1901.06935, 2019.
applications. In other words, they are not universal for different [10] I. Giechaskiel, Y. Zhang, and K. B. Rasmussen, “A framework for
devices. However, our approach is designed for sensor systems evaluating security in the presence of signal injection attacks,” arXiv
preprint arXiv:1901.03675, 2019.
that match our model, and it can be quickly deployed to the
[11] Y. Hayashi, N. Homma, T. Sugawara, T. Mizuki, T. Aoki, and H. Sone,
sensor systems. “Non-invasive EMI-based fault injection attack against cryptographic
modules,” in 2011 IEEE International Symposium on Electromagnetic
IX. C ONCLUSION Compatibility (EMC). IEEE, 2011, pp. 763–767.
In this paper, we propose a novel method to detect EMI [12] R. Hoad and I. Sutherland, “The forensic utility of detecting disruptive
electromagnetic interference,” in ECIW2008-7th European Conference on
attacks for sensor systems that match our model. In our Information Warfare and Security: ECIW2008. Academic Conferences
detection method, a sensor system turns off the sensor to Limited, 2008, p. 77.
monitor the attacking signal in the sensor output. Our detection [13] R. Hurley, Design Considerations for ESD/EMI Filters: II Low Pass
method can prevent the sensor system from processing an Filters for Audio Filter Applications, ON Semiconductor, 2007.
[14] C. Kasmi and J. L. Esteves, “IEMI threats for information security:
attacking signal: once the microcontroller detects an existence Remote command injection on modern smartphones,” IEEE Transactions
of an attacking signal, the microcontroller rejects to handling on Electromagnetic Compatibility, vol. 57, no. 6, pp. 1752–1755, 2015.
the sensor output further. Compared with other detection [15] R. Krzikalla and J. Ter Haseborg, “HPEM protection on HF transmission
lines,” Advances in Radio Science, vol. 2, no. E. 1, pp. 79–82, 2005.
methods, our approach is not only low-cost and space-saving [16] D. F. Kune, J. Backes, S. S. Clark, D. Kramer, M. Reynolds, K. Fu,
but also can be quickly deployed. Y. Kim, and W. Xu, “Ghost talk: Mitigating EMI signal injection attacks
Regarding the security of the sensor system, we proved against analog sensors,” in 2013 IEEE Symposium on Security and
Privacy (SP). IEEE, 2013, pp. 145–159.
that our detection method can be bypassed with a negligible [17] M. Mishali and Y. C. Eldar, “From theory to practice: Sub-Nyquist
probability. The security of the sensor system is based on that sampling of sparse wideband analog signals,” IEEE Journal of Selected
the n-bit secret sequence is unknown to the attacker. The longer Topics in Signal Processing, vol. 4, no. 2, pp. 375–391, 2010.
the secret sequence is, the more secure the sensor system is. [18] T. A. Nappholz and R. Whigham, “EMI detection in an implantable
pacemaker and the like,” Jun. 16 1998, US Patent 5,766,227.
Also, our detection method can guarantee the security with a [19] W. A. Radasky, C. E. Baum, and M. W. Wik, “Introduction to the special
small n. issue on high-power electromagnetics (HPEM) and intentional electro-
In practice, we deploy the detection method to a microphone magnetic interference (IEMI),” IEEE Transactions on Electromagnetic
Compatibility, vol. 46, no. 3, pp. 314–321, 2004.
system and a temperature sensor system. The high true-positive [20] K. B. Rasmussen, C. Castelluccia, T. S. Heydt-Benjamin, and S. Capkun,
rates show that our detection method is effective and robust in “Proximity-based access control for implantable medical devices,” in Pro-
detecting the attacking signal. ceedings of the 16th ACM conference on Computer and communications
security. ACM, 2009, pp. 410–419.
ACKNOWLEDGMENTS [21] N. Roy, H. Hassanieh, and R. Roy Choudhury, “Backdoor: Making
microphones hear inaudible sounds,” in Proceedings of the 15th Annual
This work was supported in part by China Scholarship International Conference on Mobile Systems, Applications, and Services.
Council – University of Oxford Scholarships. ACM, 2017, pp. 2–14.
[22] F. Sabath, “What can be learned from documented Intentional Elec-
R EFERENCES tromagnetic Interference (IEMI) attacks?” in General Assembly and
[1] C. Adami, C. Braun, P. Clemens, M. Joester, S. Ruge, M. Suhrke, Scientific Symposium, 2011 XXXth URSI. IEEE, 2011, pp. 1–4.
H. Schmidt, and H. Taenzer, “HPM detector system with frequency [23] P. Sedgwick, “Pearson’s correlation coefficient,” Bmj, vol. 345, p. e4483,
identification,” in 2014 International Symposium on Electromagnetic 2012.
Compatibility (EMC Europe). IEEE, 2014, pp. 140–145. [24] J. Selvaraj, G. Y. Dayanıklı, N. P. Gaunkar, D. Ware, R. M. Gerdes,
[2] C. Adami, C. Braun, P. Clemens, M. Suhrke, H. Schmidt, and A. Taenzer, M. Mina et al., “Electromagnetic Induction Attacks Against Embedded
“HPM detection system for mobile and stationary use,” in EMC Europe Systems,” in Proceedings of the 2018 on Asia Conference on Computer
2011 York. IEEE, 2011, pp. 1–6. and Communications Security. ACM, 2018, pp. 499–510.
[3] Manchester Coding Basics, Atmel Corporation, 2325 Orchard Parkway, [25] H. Shin, Y. Son, Y. Park, Y. Kwon, and Y. Kim, “Sampling race:
San Jose, CA 95131, USA, sep 2009. Bypassing timing-based analog active sensor spoofing detection on analog-
[4] C. E. Baum and D. McLemore, “Damping Transmission-Line and Cavity digital systems,” in 10th USENIX Workshop on Offensive Technologies.
Resonances,” Interaction Note, vol. 503, pp. 239–244, 1994. USENIX, 2016.
[5] J. Benesty, J. Chen, and Y. Huang, “On the importance of the Pearson [26] Y. Shoukry, P. Martin, Y. Yona, S. Diggavi, and M. Srivastava, “Pycra:
correlation coefficient in noise reduction,” IEEE Transactions on Audio, Physical challenge-response authentication for active sensors under
Speech, and Language Processing, vol. 16, no. 4, pp. 757–765, 2008. spoofing attacks,” in Proceedings of the 22nd ACM SIGSAC Conference
[6] D. Fujimoto, Y.-i. Hayashi, A. Beckers, J. Balasch, B. Gierlichs, and on Computer and Communications Security. ACM, 2015, pp. 1004–
I. Verbauwhede, “Detection of IEMI fault injection using voltage monitor 1015.
constructed with fully digital circuit,” in 2018 IEEE International [27] T. Trippel, O. Weisse, W. Xu, P. Honeyman, and K. Fu, “WALNUT:
Symposium on Electromagnetic Compatibility and 2018 IEEE Asia-Pacific Waging doubt on the integrity of MEMS accelerometers with acoustic
Symposium on Electromagnetic Compatibility (EMC/APEMC). IEEE, injection attacks,” in 2017 IEEE European Symposium on Security and
2018, pp. 753–755. Privacy (EuroS&P). IEEE, 2017, pp. 3–18.
[28] D. J. Yonce and L. Babler, “EMI detection for implantable medical [30] G. Zhang, C. Yan, X. Ji, T. Zhang, T. Zhang, and W. Xu, “DolphinAttack:
devices,” Jun. 12 2007, US Patent 7,231,251. Inaudible voice commands,” in Proceedings of the 2017 ACM SIGSAC
[29] X. Yuan, Y. Chen, Y. Zhao, Y. Long, X. Liu, K. Chen, S. Zhang, Conference on Computer and Communications Security. ACM, 2017,
H. Huang, X. Wang, and C. A. Gunter, “CommanderSong: A Systematic pp. 103–117.
Approach for Practical Adversarial Voice Recognition,” arXiv preprint
arXiv:1801.08535, 2018.