Rethinking Security in Semantic Communication: Latent Manipulation as a New Threat

TL;DR

This paper reveals a fundamental vulnerability in semantic communication systems that allows covert manipulation of transmitted semantics through latent-space attacks, posing new security challenges for next-generation wireless networks.

Contribution

The paper introduces two novel latent-space attack methods—Diffusion-based Re-encoding and Test-Time Adaptation Latent Manipulation—that expose security vulnerabilities in SemCom systems.

Findings

Both attacks can significantly alter decoded semantics.

Attacks preserve the natural distribution of latent representations.

Proposed methods are effective across diverse SemCom architectures.

Abstract

Deep learning-based semantic communication (SemCom) has emerged as a promising paradigm for next-generation wireless networks, offering superior transmission efficiency by extracting and conveying task-relevant semantic latent representations rather than raw data. However, the openness of the wireless medium and the intrinsic vulnerability of semantic latent representations expose such systems to previously unrecognized security risks. In this paper, we uncover a fundamental latent-space vulnerability that enables Man-in-the-Middle (MitM) attacker to covertly manipulate the transmitted semantics while preserving the statistical properties of the transmitted latent representations. We first present a Diffusion-based Re-encoding Attack (DiR), wherein the attacker employs a diffusion model to synthesize an attacker-designed semantic variant, and re-encodes it into a valid latent representation compatible with the SemCom decoder. Beyond this model-dependent pathway, we further propose a model-agnostic and training-free Test-Time Adaptation Latent Manipulation attack (TTA-LM), in which the attacker perturbs and steers the intercepted latent representation toward an attacker-specified semantic target by leveraging the gradient of a target loss function. In contrast to diffusion-based manipulation, TTA-LM does not rely on any generative model and does not impose modality-specific or task-specific assumptions, thereby enabling efficient and broadly applicable latent-space tampering across diverse SemCom architectures. Extensive experiments on representative semantic communication architectures demonstrate that both attacks can significantly alter the decoded semantics while preserving natural latent-space distributions, making the attacks covert and difficult to detect.