{"ID":2828026,"CreatedAt":"2026-06-01T04:54:23.091178241Z","UpdatedAt":"2026-06-01T04:54:23.091178241Z","DeletedAt":null,"paper_url":"https://arxiv.org/abs/2512.15387","arxiv_id":"2512.15387","title":"Talking to the Airgap: Exploiting Radio-Less Embedded Devices as Radio Receivers","abstract":"Physical isolation from external networks - an airgap - aims to minimize exposure to remote attacks. Yet capable adversaries still achieve code execution on air-gapped systems, and prior work has shown that they can then wirelessly exfiltrate data via unintended emissions. In this work, we demonstrate the reverse direction: malicious code on an embedded device enables wireless infiltration of air-gapped systems, granting attackers command-and-control over compromised targets. Leveraging physical effects previously studied in the context of electromagnetic interference (EMI), we show that parasitic radio frequency (RF) sensitivity in printed circuit board (PCB) traces and on-chip analog-to-digital converters (ADCs) turns commodity embedded devices into inadvertent radio receivers. Unlike prior infiltration techniques, our approach requires no dedicated sensors (e.g., microphones, LEDs, or temperature sensors) and works in non-line-of-sight scenarios. In our evaluation, an ordinary microcontroller evaluation board reliably recovers communication signals from tens of meters at data rates of up to 100 kbps. Applying a systematic methodology to discover such device-intrinsic RF sensitivity, we evaluate twelve commercial embedded devices and two custom prototypes, finding that all exhibit reception capabilities in the 300-1000 MHz range. Our findings challenge the assumption that embedded devices without radios lack an inbound radio paths and call for air-gap threat models that account for both emission-based leakage and unintended reception.","short_abstract":"Physical isolation from external networks - an airgap - aims to minimize exposure to remote attacks. Yet capable adversaries still achieve code execution on air-gapped systems, and prior work has shown that they can then wirelessly exfiltrate data via unintended emissions. In this work, we demonstrate the reverse direc...","url_abs":"https://arxiv.org/abs/2512.15387","url_pdf":"https://arxiv.org/pdf/2512.15387v2","authors":"[\"Paul Staat\",\"Daniel Davidovich\",\"Christof Paar\"]","published":"2025-12-17T12:39:54Z","proceeding":"cs.CR","tasks":"[\"cs.CR\"]","methods":"[]","has_code":false}