Talking to the Airgap: Exploiting Radio-Less Embedded Devices as Radio Receivers
Paul Staat, Daniel Davidovich, Christof Paar
TL;DR
This work reveals a previously overlooked vector for airgap compromise: unmodified, sensor-less embedded devices can unknowingly receive wireless signals via parasitic RF sensitivities in PCB traces and on-chip ADCs. By systematically discovering these RF sensitivities across 14 devices, the authors demonstrate practical wireless reception and covert command-and-control at distances up to tens of meters with data rates up to 100 kbps, even under non-line-of-sight conditions. They provide a rigorous methodology, quantify robustness across power, time, orientation, and device variants, and discuss mitigations such as shielding and PCB grounding. The findings challenge assumptions about physical isolation and highlight the need for hardware-aware EM resilience in embedded systems, while offering a path toward proactive vulnerability identification and defense design.
Abstract
Intelligent electronics are deeply embedded in critical infrastructures and must remain reliable, particularly against deliberate attacks. To minimize risks and impede remote compromise, sensitive systems can be physically isolated from external networks, forming an airgap. Yet, airgaps can still be infiltrated by capable adversaries gaining code execution. Prior research has shown that attackers can then attempt to wirelessly exfiltrate data across the airgap by exploiting unintended radio emissions. In this work, we demonstrate reversal of this link: malicious code execution on embedded devices can enable wireless infiltration of airgapped systems without any hardware modification. In contrast to previous infiltration methods that depend on dedicated sensors (e.g., microphones, LEDs, or temperature sensors) or require strict line-of-sight, we show that unmodified, sensor-less embedded devices can inadvertently act as radio receivers. This phenomenon stems from parasitic RF sensitivity in PCB traces and on-chip analog-to-digital converters (ADCs), allowing external transmissions to be received and decoded entirely in software. Across twelve commercially available embedded devices and two custom prototypes, we observe repeatable reception in the 300-1000 MHz range, with detectable signal power as low as 1 mW. To this end, we propose a systematic methodology to identify device configurations that foster such radio sensitivities and comprehensively evaluate their feasibility for wireless data reception. Exploiting these sensitivities, we demonstrate successful data reception over tens of meters, even in non-line-of-sight conditions and show that the reception sensitivities accommodate data rates of up to 100 kbps. Our findings reveal a previously unexplored command-and-control vector for air-gapped systems while challenging assumptions about their inherent isolation. [shortened]