Modeling Electromagnetic Signal Injection Attacks on Camera-based Smart Systems: Applications and Mitigation

TL;DR

This work models electromagnetic signal injection attacks on camera-based smart systems and introduces a general system-and-attacker framework to study their effects. A novel simulation method generates adversarial color-strip artifacts in raw images, closely matching real attacks as validated by SSIM and mAP comparisons, allowing rapid vulnerability assessment without physical attack setups. Across multiple computer-vision tasks, many models exhibit significant susceptibility, especially in object detection and instance segmentation, while depth estimation and face recognition show relative robustness. The study demonstrates that adversarial training with simulated adversarial images can substantially mitigate impacts, recovering up to 91% of original performance, thereby offering a practical defense pathway for safety-critical AI vision systems.

Abstract

Numerous safety- or security-critical systems depend on cameras to perceive their surroundings, further allowing artificial intelligence (AI) to analyze the captured images to make important decisions. However, a concerning attack vector has emerged, namely, electromagnetic waves, which pose a threat to the integrity of these systems. Such attacks enable attackers to manipulate the images remotely, leading to incorrect AI decisions, e.g., autonomous vehicles missing detecting obstacles ahead resulting in collisions. The lack of understanding regarding how different systems react to such attacks poses a significant security risk. Furthermore, no effective solutions have been demonstrated to mitigate this threat. To address these gaps, we modeled the attacks and developed a simulation method for generating adversarial images. Through rigorous analysis, we confirmed that the effects of the simulated adversarial images are indistinguishable from those from real attacks. This method enables researchers and engineers to rapidly assess the susceptibility of various AI vision applications to these attacks, without the need for constructing complicated attack devices. In our experiments, most of the models demonstrated vulnerabilities to these attacks, emphasizing the need to enhance their robustness. Fortunately, our modeling and simulation method serves as a stepping stone toward developing more resilient models. We present a pilot study on adversarial training to improve their robustness against attacks, and our results demonstrate a significant improvement by recovering up to 91% performance, offering a promising direction for mitigating this threat.

Figures (10)

• Figure 1: When no attack exists, the autonomous car can accurately detect a motorcycle in the captured image. However, when under attack, the image is manipulated to display purple strips that mask obstacles, tricking the car into believing the road ahead is clear, possibly leading to a crash.
• Figure 2: A 0 is incorrectly detected as a 1. A malicious electromagnetic signal (red) is superimposed with the original signal (blue), causing the voltage level higher than the threshold $V_{H}$ of the receiving circuit, and leading to 1 detected.
• Figure 3: A camera-based smart system consists of an image sensor and a processing unit, which can capture images and process the information, respectively. When no attack happens, the processing unit can give correct results, but an attack can cause a wrong result.
• Figure 4: Rows are dropped from a raw image $I$, leading to the raw image under the attack $I^{\prime}$. The empty places in $I^{\prime}$ will be filled by pixels from the next frame.
• Figure 5: (a) is the raw image without attack, i.e., $I$. (b) is the raw image under attack $I^{\prime}$. (c) is the reconstructed image of the raw image under attack $R(I^{\prime})$, showing multiple purple strips. (d) is the simulated adversarial image $R(I^{s})$, which replicates the color strips the same as (c).