Rethinking Security in Semantic Communication: Latent Manipulation as a New Threat
Zhiyuan Xi, Kun Zhu
TL;DR
Semantics-based communications can reduce bandwidth by transmitting latent representations, but this paper reveals a latent-space security vulnerability where a MitM attacker can covertly modify semantics without disturbing latent distributions. It introduces two attack mechanisms: DiR, a diffusion-based re-encoding that crafts attacker-target latents via latent diffusion editing, and TTA-LM, a training-free, gradient-driven manipulation that uses a CLIP-based semantic loss. Experiments across multiple SemCom backbones show both attacks can steer decoded content toward attacker targets while preserving natural latent statistics, making detection difficult. The work highlights the need for semantic integrity and authentication at the latent level and outlines future defenses and extensions to multimodal SemCom.
Abstract
Deep learning-based semantic communication (SemCom) has emerged as a promising paradigm for next-generation wireless networks, offering superior transmission efficiency by extracting and conveying task-relevant semantic latent representations rather than raw data. However, the openness of the wireless medium and the intrinsic vulnerability of semantic latent representations expose such systems to previously unrecognized security risks. In this paper, we uncover a fundamental latent-space vulnerability that enables Man-in-the-Middle (MitM) attacker to covertly manipulate the transmitted semantics while preserving the statistical properties of the transmitted latent representations. We first present a Diffusion-based Re-encoding Attack (DiR), wherein the attacker employs a diffusion model to synthesize an attacker-designed semantic variant, and re-encodes it into a valid latent representation compatible with the SemCom decoder. Beyond this model-dependent pathway, we further propose a model-agnostic and training-free Test-Time Adaptation Latent Manipulation attack (TTA-LM), in which the attacker perturbs and steers the intercepted latent representation toward an attacker-specified semantic target by leveraging the gradient of a target loss function. In contrast to diffusion-based manipulation, TTA-LM does not rely on any generative model and does not impose modality-specific or task-specific assumptions, thereby enabling efficient and broadly applicable latent-space tampering across diverse SemCom architectures. Extensive experiments on representative semantic communication architectures demonstrate that both attacks can significantly alter the decoded semantics while preserving natural latent-space distributions, making the attacks covert and difficult to detect.