Search papers, labs, and topics across Lattice.
This paper investigates whether active RF probing, specifically impedance-modulated backscattering, can bypass electromagnetic (EM) shielding designed to suppress radiated emissions and passive side-channel leakage. The authors inject controlled RF signals into shielded devices and analyze the reflective response to detect state-dependent impedance variations. Experiments on FPGA and microcontroller prototypes under three industry-standard shields reveal that while passive EM measurements are suppressed, backscattering responses remain separable, indicating a vulnerability to active RF probing.
Even with EM shielding in place, active RF probing can still expose execution-dependent behavior via impedance-modulated backscattering.
Electromagnetic (EM) shielding is widely used to suppress radiated emissions and limit passive EM side-channel leakage. However, shielding does not address active probing, where an adversary injects external radio-frequency (RF) signals and observes the device's reflective response. This work studies whether such impedance-modulated backscattering persists when radiated emissions are suppressed by shielding. By injecting controlled RF signals and analyzing the reflections, we demonstrate that state-dependent impedance variations remain observable at frequencies outside the shields'primary attenuation band. Using processors implemented on FPGA and microcontroller prototypes, and evaluating workload profiles under three industry-standard shields, we find that passive EM measurements lose discriminative power under shielding, while backscattering responses remain separable. These results indicate that active RF probing can expose execution-dependent behavior even in shielded systems, motivating the need to consider active impedance-based probing within hardware security evaluation flows.
