Recently, computer vision systems, for example, smart traffic surveillance systems, facial recognition systems, etc., have significantly changed our daily life. Even though the neural networks in such systems are known to suffer from backdoor attacks, causing the backdoored models to behave well on benign samples but maliciously on controlled samples (with triggers applied to activate the backdoor), it is generally believed that most of the triggers, when used in physical attacks, are noticeable to victim users and not robust in various settings, such as different angles, distances, lighting conditions, etc. In this paper, we leverage electromagnetic interference (EMI) to produce a specific pattern distortion in images captured by the camera system and utilize the pattern distortion as the backdoor trigger. To avoid the overhead of manually collecting poisoned images, we introduce a simulation sample generation approach, converting clean images to poisoned ones by simulating the distortion caused by EMI against the camera system. Additionally, we propose a contrast loss function to enhance the generalization of backdoor features, improving triggers’ capability to activate the embedded backdoors. We conduct extensive physical experiments using diverse deep neural networks across various camera systems in different practical environments, achieving a 92.54% average backdoor success rate.
SchroffFKalenichenkoDPhilbinJ. FaceNet: A unified embedding for face recognition and clustering. In: Proceedings of the IEEE conference on computer vision and pattern recognition (CVPR), 2015, Boston, USA, pp.815–823. IEEE.
4.
ParkhiOVedaldiAZissermanA. Deep face recognition. In: Proceedings of the British machine vision conference (BMVC), 2015, Swansea, England, pp. 1–12. British Machine Vision Association.
GuTDolan-GavittBGargS. Badnets: Identifying vulnerabilities in the machine learning model supply chain. arXiv preprint arXiv:170806733, 2017.
7.
LiuYMaSAaferY, et al.Trojaning attack on neural networks. In: 25th Annual network and distributed system security symposium (NDSS), 2018. Internet Society.
8.
LiYLiYWuB, et al.Invisible backdoor attack with sample-specific triggers. In: Proceedings of the IEEE/CVF International conference on computer vision (ICCV), virtual event, 2019, pp. 16463–16472. IEEE.
9.
HanXWuYZhangQ, et al.Backdooring multimodal learning. In: Proceedings of the IEEE Symposium on security and privacy (SP), 2024, San Francisco, CA, USA, pp. 3385–3403. IEEE.
10.
WengerEPassanantiJBhagojiAN, et al.Backdoor attacks against deep learning systems in the physical world. In: Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, virtual event, 2021, pp. 6206–6215. IEEE.
11.
LiYZhaiTWuB, et al.Rethinking the trigger of backdoor attack. arXiv preprint arXiv:200404692, 2020.
12.
XueMHeCSunS, et al.Robust backdoor attacks against deep neural networks in real physical world. In: 2021 IEEE 20th international conference on trust, security and privacy in computing and communications (TrustCom), 2021, pp. 620–626.
13.
TuYRampazziSHaoB, et al.Trick or heat? Manipulating critical temperature-based control systems using rectification attacks. In: Proceedings of the 2019 ACM SIGSAC conference on computer and communications security, 2019, London United Kingdom, pp. 2301–2315. ACM.
14.
WangKMitevRYanC, et al.GhostTouch: Targeted attacks on touchscreens without physical touch. In: Proceedings of the USENIX security symposium, 2020, Baltimore, MD, USA, pp. 1543–1559. USENIX Association.
15.
KöhlerSBakerRMartinovicI. Signal injection attacks against CCD image sensors. In: Proceedings of the 2022 ACM on Asia conference on computer and communications security (AsiaCCS), 2022, Nagasaki, Japan, pp. 294–308. ACM.
16.
JiangQJiXYanC, et al.GlitchHiker: Uncovering vulnerabilities of image signal transmission with IEMI. In: USENIX security’2023, 2023.
17.
JangJHChoMKimJ, et al.Paralyzing drones via EMI signal injection on sensory communication channels. In: Proceedings of the network and distributed system security symposium (NDSS), 2023, San Diego, CA, USA. Internet Society.
18.
ZhangYRasmussenK. Electromagnetic signal injection attacks on differential signaling. In: Proceedings of the 2023 ACM Asia conference on computer and communications security (AsiaCCS), 2023, Melbourne VIC Australia, pp. 314–325. ACM.
19.
DayanıklıGYSinhaSMunirajD, et al.Physical-Layer attacks against pulse width Modulation-Controlled actuators. In: Proceedings of the USENIX security symposium, 2019, Boston, MA, USA, pp. 953–970. USENIX Association.
20.
SelvarajJDayanıklıGYGaunkarNP, et al.Electromagnetic induction attacks against embedded systems. In: Proceedings of the ACM Asia conference on computer and communications security (AsiaCCS), 2018, Incheon Republic of Korea, pp. 499–510. ACM.
21.
YaoYLiHZhengH, et al.Latent backdoor attacks on deep neural networks. In: ACM SIGSAC conference on computer and communications security (CCS), 2019, London United Kingdom, pp. 2041–2055. ACM.
22.
LvPYueCLiangR, et al.A data-free backdoor injection approach in neural networks. In: 32nd USENIX security symposium (USENIX Security), 2023, Anaheim, CA, USA, pp. 2671–2688. USENIX Association.
HasinoffSWSharletDGeissR, et al.Burst photography for high dynamic range and low-light imaging on mobile cameras. ACM Trans Graph (ToG)2016; 35(6): 1–12.
28.
LiXGunturkBZhangL. Image demosaicing: A systematic survey. In:Visual communications and image processing, 2008, San Jose, California, United States, Vol. 6822, pp. 489–503. SPIE.
29.
BalanisCA. Advanced engineering electromagnetics. Hoboken, New Jersey, USA: John Wiley & Sons, 2012.
30.
DayanikliGY. Electromagnetic interference attacks on cyber-physical systems: theory, demonstration, and defense. PhD Thesis, Virginia Tech, 2021.
31.
PaulCRScullyRCSteffkaMA. Introduction to electromagnetic compatibility. Hoboken, New Jersey, USA: John Wiley & Sons, 2022.
32.
LiuKDolan-GavittBGargS. Fine-pruning: Defending against backdooring attacks on deep neural networks. In: International symposium on research in attacks, intrusions, and defenses (RAID), 2018, pp. 273–294. Springer: Cham.
33.
BarniMKallasKTondiB. A new backdoor attack in CNNs by training set corruption without label poisoning. In: 2019 IEEE International Conference on Image Processing (ICIP), 2019, Taipei, Taiwan, pp. 101–105. IEEE.
34.
SahaASubramanyaAPirsiavashH. Hidden trigger backdoor attacks. In: Proceedings of the AAAI conference on artificial intelligence, 2020, New York, NY, USA, vol. 34(07), pp. 11957–11965.
35.
LinJXuLLiuY, et al.Composite backdoor attack for deep neural network by mixing existing benign features. In: Proceedings of the 2020 ACM SIGSAC conference on computer and communications security, 2020, Virtual Event, pp. 113–131. ACM.
36.
DoanKLaoYZhaoW, et al.LIRA: Learnable, imperceptible and robust backdoor attacks. In: Proceedings of the IEEE/CVF international conference on computer vision, 2021, virtual event, pp. 11966–11976. IEEE.
37.
GoldwasserSKimMPVaikuntanathanV, et al.Planting undetectable backdoors in machine learning models. In: Proceedings of the IEEE annual symposium on foundations of computer science (FOCS), 2022, Denver, CO, USA, pp. 931–942. IEEE.
38.
RenYJiangQYanC, et al.Ghostshot: Manipulating the image of CCD cameras with electromagnetic interference. In: NDSS, 2025.
39.
ZhangXTuYLongY, et al.From virtual touch to Tesla command: Unlocking unauthenticated control chains from smart glasses for vehicle takeover. In: 2024 IEEE symposium on security and privacy (SP), 2024, San Francisco, CA, USA, pp. 2366–2384. IEEE.
40.
BaruaAAl FaruqueMA. Hall spoofing: A non-invasive DoS attack on grid-tied solar inverter. In: 29th USENIX security symposium, 2020, pp. 1273–1290.
41.
OyamaTOkuraSYoshidaK, et al.Backdoor attack on deep neural networks triggered by fault injection attack on image sensor interface. In: Proceedings of the 5th workshop on attacks and solutions in hardware security, 2021, pp. 63–72.
42.
MoweryKWustrowEWypychT, et al.Security analysis of a full-body scanner. In: 23rd USENIX security symposium , 2014, pp. 369–384.
43.
KrizhevskyAHintonG, et al.Learning multiple layers of features from tiny images. Technical Report, University of Toronto, Toronto, ON, Canada, 2009.
44.
HeKZhangXRenS, et al.Deep residual learning for image recognition. In: CVPR, 2016, pp. 770–778.
45.
WolfLHassnerTMaozI. Face recognition in unconstrained videos with matched background similarity. In: Proceedings of the IEEE Conference on computer vision and pattern recognition (CVPR), 2011, Colorado Springs, CO, USA, pp. 529–534. IEEE.
46.
StallkampJSchlipsingMSalmenJ, et al.The German traffic sign recognition benchmark: a multi-class classification competition. In: Proceedings of the International joint conference on neural networks (IJCNN), 2011, San Jose, CA, USA, pp. 1453–1460. IEEE.
47.
GharbiMChaurasiaGParisS, et al.Deep joint demosaicking and denoising. ACM Trans Graph (ToG)2016; 35: 1–12.
48.
GijsenijAGeversTWeijerDe, et al.Computational color constancy: Survey and experiments. IEEE Trans Image Process2011; 20: 2475–2489.
49.
BrooksTMildenhallBXueT, et al.Unprocessing images for learned raw denoising. In: CVPR, 2019, pp. 11036–11045.
50.
HadsellRChopraSLeCunY. Dimensionality reduction by learning an invariant mapping. In: Proceedings of the IEEE Conference on computer vision and pattern recognition (CVPR), June 17–22, 2006, New York, NY, USA, pp. 1735–1742. IEEE.
51.
MotiianSPiccirilliMAdjerohDA, et al.Unified deep supervised domain adaptation and generalization. In: Proceedings of the IEEE International conference on computer vision (ICCV), 2017, Venice, Italy, pp. 5716–5726.
52.
MaćkiewiczARatajczakW. Principal components analysis (PCA). Comput Geosci1993; 19: 303–342.
WangBYaoYShanS, et al.Neural Cleanse: Identifying and mitigating backdoor attacks in neural networks. In: Proceedings of the IEEE Symposium on security and privacy (SP), 2019, San Francisco, CA, USA, pp. 707–723. IEEE.
55.
LiuYLeeWCTaoG, et al.Abs: Scanning neural networks for back-doors by artificial brain stimulation. In: In Proceedings of the ACM Conference on computer and communications security (CCS), 2018, London, UK, pp. 1265–1282. ACM.
56.
XuXWangQLiH, et al.Detecting ai trojans using meta neural analysis. In: Proceedings of the IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA, 2021, pp. 103–120. IEEE.
57.
DoanBGAbbasnejadERanasingheDC. Februus: Input purification defense against Trojan attacks on deep neural network systems. In: Proceedings of the annual computer security applications conference (ACSAC), virtual event, 2020, Austin, TX, USA, pp. 897–912. ACM.
58.
MaWWangDSunR, et al.The beatrix resurrections: Robust backdoor detection via gram matrices. arXiv preprint arXiv:220911715, 2022.
59.
KuneDFBackesJClarkSS, et al.Ghost talk: Mitigating EMI signal injection attacks against analog sensors. In: Proceedings of the IEEE Symposium on security and privacy (SP), 2013, Berkeley, California, USA, pp. 145–159. IEEE.
60.
GeethaSSatheesh KumarKRaoCR, et al.Emi shielding: Methods and materials—a review. J Appl Polym Sci2009; 112: 2073–2086.
61.
YuZKaplanZYanQ, et al.Security and privacy in the emerging cyber-physical world: A survey. IEEE Commun Surv Tutor2021; 23: 1879–1919.
KimHBandyopadhyayROzmenMO, et al.A systematic study of physical sensor attack hardness. In: Proceedings of the IEEE Symposium on security and privacy (SP), 2024, San Francisco, CA, USA, pp. 2328–2347. IEEE.
64.
SinghRKMishraS. Securetrack: Protecting vehicular sensors from non-invasive EMI attacks. IEEE Sens J2025; 25(5): 8857–8868.
65.
MaHLiYGaoY, et al.Dangerous cloaking: Natural trigger based backdoor attacks on object detectors in the physical world. arXiv preprint arXiv:220108619, 2022.
66.
LiHWangYXieX, et al.Light can hack your face! black-box backdoor attack on face recognition systems. arXiv preprint arXiv:200906996, 2020.
67.
XuYChenGSongF, et al.Laserguider: A laser based physical backdoor attack against deep neural networks. In: Proceedings of the International Conference on Applied Cryptography and Network Security (ACNS), 2019, Munich, Germany, pp. 339–366. Springer, Cham.
68.
OyamaTOkuraSYoshidaK, et al.Experimental study of fault injection attack on image sensor interface for triggering backdoored DNN models. IEICE Trans Fundam Electr Commun Comput Sci, 2022, 105: 336–343.
69.
DayanıklıGYMohammedAZGerdesR, et al.Wireless manipulation of serial communication. In: In Proceedings of the ACM Asia Conference on computer and communications security (AsiaCCS), May 30–June 3, 2022, Nagasaki, Japan, pp. 222–236. ACM.
70.
LiuJLiHSunM, et al.Nfceraser: A security threat of NFC message modification caused by quartz crystal oscillator. In: Proceedings of the IEEE symposium on security and privacy (SP), 2024, San Francisco, CA, USA, pp. 2775–2793. IEEE.
71.
LinTYMaireMBelongieS, et al.Microsoft COCO: Common objects in context. In: Proceedings of the European conference on computer vision (ECCV), 2014, Zurich, Switzerland, pp. 740–755. Springer: Cham.
