Talking to the Airgap: Exploiting Radio-Less Embedded Devices as Radio Receivers

TL;DR

This paper demonstrates that commodity embedded devices can be exploited as radio receivers to infiltrate air-gapped systems wirelessly, revealing a new inbound communication vector that challenges existing security assumptions.

Contribution

It introduces a novel method exploiting parasitic RF sensitivity in embedded devices to enable wireless infiltration of air-gapped systems without dedicated sensors.

Findings

Ordinary microcontroller boards can recover signals from tens of meters at 100 kbps.

All tested commercial devices exhibit RF reception in 300-1000 MHz range.

The approach works without line-of-sight and requires no additional sensors.

Abstract

Physical isolation from external networks - an airgap - aims to minimize exposure to remote attacks. Yet capable adversaries still achieve code execution on air-gapped systems, and prior work has shown that they can then wirelessly exfiltrate data via unintended emissions. In this work, we demonstrate the reverse direction: malicious code on an embedded device enables wireless infiltration of air-gapped systems, granting attackers command-and-control over compromised targets. Leveraging physical effects previously studied in the context of electromagnetic interference (EMI), we show that parasitic radio frequency (RF) sensitivity in printed circuit board (PCB) traces and on-chip analog-to-digital converters (ADCs) turns commodity embedded devices into inadvertent radio receivers. Unlike prior infiltration techniques, our approach requires no dedicated sensors (e.g., microphones, LEDs, or temperature sensors) and works in non-line-of-sight scenarios. In our evaluation, an ordinary microcontroller evaluation board reliably recovers communication signals from tens of meters at data rates of up to 100 kbps. Applying a systematic methodology to discover such device-intrinsic RF sensitivity, we evaluate twelve commercial embedded devices and two custom prototypes, finding that all exhibit reception capabilities in the 300-1000 MHz range. Our findings challenge the assumption that embedded devices without radios lack an inbound radio paths and call for air-gap threat models that account for both emission-based leakage and unintended reception.