Intelligent electronics are deeply embedded in critical infrastructures and must remain reliable, particularly against deliberate attacks. To minimize risks and impede remote compromise, sensitive systems can be physically isolated from external networks, forming an airgap. Yet, airgaps can still be infiltrated by capable adversaries gaining code execution. Prior research has shown that attackers can then attempt to wirelessly exfiltrate data across the airgap by exploiting unintended radio emissions. In this work, we demonstrate reversal of this link: malicious code execution on embedded devices can enable wireless infiltration of airgapped systems without any hardware modification. In contrast to previous infiltration methods that depend on dedicated sensors (e.g., microphones, LEDs, or temperature sensors) or require strict line-of-sight, we show that unmodified, sensor-less embedded devices can inadvertently act as radio receivers. This phenomenon stems from parasitic RF sensitivity in PCB traces and on-chip analog-to-digital converters (ADCs), allowing external transmissions to be received and decoded entirely in software. Across twelve commercially available embedded devices and two custom prototypes, we observe repeatable reception in the 300-1000 MHz range, with detectable signal power as low as 1 mW. To this end, we propose a systematic methodology to identify device configurations that foster such radio sensitivities and comprehensively evaluate their feasibility for wireless data reception. Exploiting these sensitivities, we demonstrate successful data reception over tens of meters, even in non-line-of-sight conditions and show that the reception sensitivities accommodate data rates of up to 100 kbps. Our findings reveal a previously unexplored command-and-control vector for air-gapped systems while challenging assumptions about their inherent isolation. [shortened]

翻译：智能电子设备已深度嵌入关键基础设施中，必须保持可靠性，尤其是在面对蓄意攻击时。为降低风险并阻止远程入侵，敏感系统可通过物理隔离与外部网络断开连接，形成空气间隙。然而，空气间隙仍可能被具备能力的攻击者通过代码执行渗透。先前研究表明，攻击者可利用非预期的射频发射，尝试跨空气间隙无线窃取数据。本工作中，我们展示了这一链路的反向利用：在嵌入式设备上执行恶意代码，可在无需硬件修改的情况下实现对空气间隙系统的无线渗透。与以往依赖专用传感器（如麦克风、LED或温度传感器）或需要严格视距的渗透方法不同，我们证明未经修改、无传感器的嵌入式设备可无意中充当无线电接收器。这一现象源于PCB走线和片上模数转换器（ADC）中的寄生射频敏感性，使得外部传输能够完全通过软件接收和解码。通过对十二种商用嵌入式设备和两个定制原型的测试，我们在300-1000 MHz范围内观察到可重复的接收现象，可检测信号功率低至1 mW。为此，我们提出一种系统化方法，用于识别易产生此类射频敏感性的设备配置，并全面评估其无线数据接收的可行性。利用这些敏感性，我们展示了在数十米距离内成功接收数据，即使在非视距条件下，且接收灵敏度支持高达100 kbps的数据速率。我们的研究揭示了一种先前未被探索的空气间隙系统命令与控制向量，同时挑战了关于其固有隔离性的假设。