ShieldBypass: On the Persistence of Impedance Leakage Beyond EM Shielding

TL;DR

This paper investigates whether active RF probing can reveal device behavior through impedance leakage even when electromagnetic shielding suppresses emissions.

Contribution

It demonstrates that impedance-based backscattering persists beyond shielding and can be exploited for security analysis, highlighting a new threat vector.

Findings

Passive EM measurements lose discriminative power under shielding.

Backscattering responses remain observable and separable outside shield attenuation bands.

Active RF probing can expose execution-dependent behavior in shielded systems.

Abstract

Electromagnetic (EM) shielding is widely used to suppress radiated emissions and limit passive EM side-channel leakage. However, shielding does not address active probing, where an adversary injects external radio-frequency (RF) signals and observes the device's reflective response. This work studies whether such impedance-modulated backscattering persists when radiated emissions are suppressed by shielding. By injecting controlled RF signals and analyzing the reflections, we demonstrate that state-dependent impedance variations remain observable at frequencies outside the shields' primary attenuation band. Using processors implemented on FPGA and microcontroller prototypes, and evaluating workload profiles under three industry-standard shields, we find that passive EM measurements lose discriminative power under shielding, while backscattering responses remain separable. These results indicate that active RF probing can expose execution-dependent behavior even in shielded systems, motivating the need to consider active impedance-based probing within hardware security evaluation flows.