When Eavesdroppers Reason: Agentic Eavesdropping Attacks on Semantic Communication

TL;DR

This paper introduces an agentic eavesdropper powered by large language models that can effectively breach privacy in semantic communication systems without needing wiretap channel information, revealing significant security risks.

Contribution

It proposes a novel LLM-based agentic eavesdropper with a closed-loop workflow that outperforms existing methods in privacy inference without wiretap CSI.

Findings

Achieves over 75% eavesdropping success rate at SNR ≥ 5 dB

Operates effectively without wiretap channel state information

Highlights severe privacy risks in current SemCom architectures

Abstract

Semantic communication (SemCom) has emerged as a promising paradigm for next-generation networks. However, its typical end-to-end joint source--channel coding (JSCC) architecture also raises serious privacy concerns. To guide future secure SemCom design, it is important to understand how serious such leakage can be. Nevertheless, existing eavesdropping attacks mainly rely on fixed-configuration solvers and often require instantaneous wiretap channel state information (CSI) to achieve effective privacy inference. This may lead future secure SemCom designs to overlook potentially severe risks. To address this, we propose a large language model (LLM)-orchestrated agentic eavesdropper. Specifically, the proposed eavesdropper forms a closed-loop workflow with three functional agents. The optimization agent adaptively performs joint semantic-and-channel inversion to recover private information from the intercepted signal without requiring wiretap CSI. The perception agent evaluates the effectiveness of the optimization agent and assesses whether the recovered private semantics are reasonable, providing feedback to the optimization agent. The refinement agent further analyzes the recovered content and uses a generative prior to refine promising candidates into more realistic and complete private reconstructions while preserving consistency with the intercepted signal. Simulation results over a MIMO Rayleigh fading channel show that the proposed eavesdropper achieves more than $75\%$ eavesdropping success rate at $\mathrm{SNR}\geq 5$~dB even without wiretap CSI, highlighting a severe privacy threat that future secure SemCom systems must address.