ShieldBypass: On the Persistence of Impedance Leakage Beyond EM Shielding
For hardware security evaluators, this work reveals that EM shielding is insufficient to prevent active impedance-based side-channel attacks, highlighting a previously overlooked vulnerability.
The paper shows that active RF probing can detect execution-dependent impedance variations in shielded systems, while passive EM measurements fail under shielding. Experiments with FPGA and microcontroller prototypes under three industry-standard shields demonstrate that backscattering responses remain separable, exposing a security gap in current evaluation flows.
Electromagnetic (EM) shielding is widely used to suppress radiated emissions and limit passive EM side-channel leakage. However, shielding does not address active probing, where an adversary injects external radio-frequency (RF) signals and observes the device's reflective response. This work studies whether such impedance-modulated backscattering persists when radiated emissions are suppressed by shielding. By injecting controlled RF signals and analyzing the reflections, we demonstrate that state-dependent impedance variations remain observable at frequencies outside the shields' primary attenuation band. Using processors implemented on FPGA and microcontroller prototypes, and evaluating workload profiles under three industry-standard shields, we find that passive EM measurements lose discriminative power under shielding, while backscattering responses remain separable. These results indicate that active RF probing can expose execution-dependent behavior even in shielded systems, motivating the need to consider active impedance-based probing within hardware security evaluation flows.