Deep learning-based semantic communication (SemCom) has emerged as a promising paradigm for next-generation wireless networks, offering superior transmission efficiency by extracting and conveying task-relevant semantic latent representations rather than raw data. However, the openness of the wireless medium and the intrinsic vulnerability of semantic latent representations expose such systems to previously unrecognized security risks. In this paper, we uncover a fundamental latent-space vulnerability that enables Man-in-the-Middle (MitM) attacker to covertly manipulate the transmitted semantics while preserving the statistical properties of the transmitted latent representations. We first present a Diffusion-based Re-encoding Attack (DiR), wherein the attacker employs a diffusion model to synthesize an attacker-designed semantic variant, and re-encodes it into a valid latent representation compatible with the SemCom decoder. Beyond this model-dependent pathway, we further propose a model-agnostic and training-free Test-Time Adaptation Latent Manipulation attack (TTA-LM), in which the attacker perturbs and steers the intercepted latent representation toward an attacker-specified semantic target by leveraging the gradient of a target loss function. In contrast to diffusion-based manipulation, TTA-LM does not rely on any generative model and does not impose modality-specific or task-specific assumptions, thereby enabling efficient and broadly applicable latent-space tampering across diverse SemCom architectures. Extensive experiments on representative semantic communication architectures demonstrate that both attacks can significantly alter the decoded semantics while preserving natural latent-space distributions, making the attacks covert and difficult to detect.

翻译：基于深度学习的语义通信已成为下一代无线网络的一种有前景的范式，其通过提取并传输任务相关的语义潜在表示而非原始数据，提供了卓越的传输效率。然而，无线介质的开放性以及语义潜在表示的内在脆弱性使此类系统面临先前未被认识到的安全风险。本文揭示了一种根本性的潜在空间脆弱性，使得中间人攻击者能够在保持传输潜在表示统计特性的同时，隐蔽地操纵传输的语义。我们首先提出一种基于扩散的重编码攻击，其中攻击者利用扩散模型合成攻击者设计的语义变体，并将其重新编码为与语义通信解码器兼容的有效潜在表示。除了这种模型依赖的途径，我们进一步提出一种模型无关且无需训练的测试时自适应潜在操纵攻击，其中攻击者通过利用目标损失函数的梯度，对截获的潜在表示进行扰动并将其导向攻击者指定的语义目标。与基于扩散的操纵相比，测试时自适应潜在操纵攻击不依赖任何生成模型，也不施加模态特定或任务特定的假设，从而能够在多样化的语义通信架构中实现高效且广泛适用的潜在空间篡改。在代表性语义通信架构上的大量实验表明，两种攻击均能显著改变解码语义，同时保持自然的潜在空间分布，使得攻击具有隐蔽性且难以检测。