This paper was accepted for publication at the ACM ASIA Conference on Computer and Communications Security (AsiaCCS)

2022.

Signal Injection Attacks against CCD Image Sensors

Sebastian Köhler Richard Baker Ivan Martinovic
University of Oxford University of Oxford University of Oxford
United Kingdom United Kingdom United Kingdom
[email protected] [email protected] [email protected]
ABSTRACT not possible. Moreover, a light-based attack requires line-of-sight
Since cameras have become a crucial part in many safety-critical between the adversary and the target camera. Finally, attacks that
systems and applications, such as autonomous vehicles and surveil- leverage optical emission tend to be suspicious and easily detected
lance, a large body of academic and non-academic work has shown by simple mechanisms. For example, if a frame is suddenly over-
arXiv:2108.08881v2 [cs.CR] 13 Dec 2021

attacks against their main component — the image sensor. However, or under-exposed, an alarm is triggered [30, 31].
these attacks are limited to coarse-grained and often suspicious In this paper, we overcome these limitations by using intentional
injections because light is used as an attack vector. Furthermore, electromagnetic interference (EMI). We show that fine-grained per-
due to the nature of optical attacks, they require the line-of-sight turbations can be injected into CCD image sensors using electro-
between the adversary and the target camera. magnetic emanation. While the susceptibility of CCD image sensors
In this paper, we present a novel post-transducer signal injection against electromagnetic interference has been evaluated in the con-
attack against CCD image sensors, as they are used in professional, text of electromagnetic compatibility (EMC) [37], to the best of our
scientific, and even military settings. We show how electromag- knowledge, no research has been conducted from the perspective
netic emanation can be used to manipulate the image information of an adversary trying to inject fine-grained, controlled perturba-
captured by a CCD image sensor with the granularity down to tions using intentional EMI. Yet, we demonstrate that, due to their
the brightness of individual pixels. We study the feasibility of our architecture, CCD image sensors are vulnerable to post-transducer
attack and then demonstrate its effects in the scenario of automatic signal injection attacks using electromagnetic waves.
barcode scanning. Our results indicate that the injected distortion With ideal conditions and information, an attacker could exploit
can disrupt automated vision-based intelligent systems. the vulnerability to reproduce arbitrary patterns within the output
of the image sensor; however, such conditions are unlikely in the
1 INTRODUCTION real world. Instead, we show the impact of the attack in a far more
achievable setting by disrupting the correct operation of barcode
Over the last few decades, the underlying architecture of image reading, as used heavily in manufacturing and logistics [13, 41].
sensors has experienced a significant shift in technology. Nowa- Such an attack on automated barcode reading is simple to mount
days, two major image sensor architectures exist — Complementary but has an immediate economic impact on the victim.
Metal-Oxide-Semiconductor (CMOS) and Charge-Coupled Device
(CCD) image sensors. Due to the improved semiconductor man- Contributions Specifically, we make the following contributions:
ufacturing process, the production costs of CMOS image sensors
have decreased immensely, while the performance of the sensors • We present a novel, post-transducer signal injection attack
increased. As a result, CMOS image sensors have almost entirely against CCD image sensors and demonstrate how an ad-
replaced CCD image sensors in consumer devices, such as mobile versary can gain fine-grained control over the brightness
and IoT devices, autonomous vehicles, retail, and surveillance. intensity down to individual pixels.
However, due to their excellent photometric performance and • We analyze the susceptibility of two CMOS image sensors
their capability to capture frames without geometric distortions, against the same attack to underpin our hypothesis that the
CCD image sensors are still used in specific professional and scien- signal injection attack is possible due to the architecture of
tific applications [6, 12]. The fields of application range from ground CCD image sensors.
and space astronomy [7, 11] over microscopy [15], industrial au- • We demonstrate the consequences of a signal injection at-
tomation [28] to military surveillance and defense systems [10, 26]. tack against CCD image sensors in the context of automatic
With the increasing usage of intelligent systems that make safety- barcode scanning as it is heavily used in manufacturing and
critical decisions based on the trusted captured image information, logistics.
the integrity of the camera inputs has become crucial. Various at- • We lay the basis for further evaluation of signal injection
tacks against camera-based systems compromising the integrity attacks against CCD image sensors.
have been demonstrated in academic literature [17, 20, 23, 45]. Since
image sensors are optical sensors, the most obvious attack vector is 2 RELATED WORK
the injection of light. However, injecting light in a controlled way Academic literature has presented signal injection attacks against
is almost infeasible and only partially possible for CMOS image a variety of sensors and devices, such as medical devices [16, 21],
sensors that implement an electronic rolling shutter mechanism voice-controlled personal assistants [29, 46], thermometers [47],
that reads the captured image information row by row, rather than MEMS inertial sensors [33, 34], air-pressure sensors [35], and Ad-
all-at-once (global shutter) [17, 23]. In contrast, CCD image sen- vanced Driver Assistance Systems (ADAS) [5, 18, 43, 45]. Depending
sors always implement a global shutter inherent to their design. on the target, the attack vector can range from acoustic waves over
This means fine-grained signal injection attacks using light are optical emission to electromagnetic emanation [8, 44]. Furthermore,
 Final
Final

Sebastian Köhler, Richard Baker, and Ivan Martinovic

Sensor
Sensor Part
Part Scanning
Scanning Element
Element Measurement
Measurement Unit
Unit

Sensor Part Scanning Element Measurement Unit and CCD image sensors is the order in which these components
Image
ImageArea
Area Image
ImageArea
Area are arranged. While CMOS image sensors have a measurement
Pixel
Pixel
Image Area Image Area
Pixel
Pixel unit integrated into each pixel, CCD image sensors rely on a single
Pixel
Pixel measurement unit [19]. A comparison of the two image sensor
architectures is depicted in Figure 1. In the following, we will focus

CircuitCircuit
Circuit
CCD CCD CCD
on the architecture of CCD image sensors.

AccessAccess
Access
VerticalVertical
Vertical

Vertical
Vertical
3.1 Photodiode Array
Vertical
The photodiode array is the sensing part of an image sensor. A two-
dimensional array composed of photodiodes, also known as pixels,
Horizontal
Horizontal Access
Access Circuit
Circuit captures image information in the form of light. More precisely,
Horizontal
Horizontal CCD
CCD
incident photons are captured and converted into a signal charge.
(a) IT-CCD image sensor
Horizontal CCD layout (b) CMOSHorizontal
image Access Circuit
sensor layout The longer a photodiode is exposed to light, the more photons are
captured and the higher is the resulting signal charge. However,
Figure 1: Simplified schematic representation of an each photodiode only captures the intensity for one of the three
Interline-Transfer-CCD (IT-CCD) and a CMOS image sen- color channels — red (R), green (G), or blue (B). This is achieved
sor. The CCD image sensor uses one measurement unit, by overlaying a Color-Filter Array (CFA) on top of the photodiode
while the CMOS image sensor implements one per pixel. array. The most well-known and most commonly used CFA is the
Bayer-Matrix. Since the human eye perceives green tones more
intensively [19], the Bayer-Matrix divides the image area into 50%
signal injection attacks can be differentiated based on the compo- green, 25% blue, and 25% red pixels [4]. To reconstruct an image
nent they are targeting. If an untrustworthy sensor measurement from the raw color information per pixel, a process known as de-
is directly injected into the transducer using the same physical mosaicing is necessary.
quantity the sensor is intended to sense, it is called a pre-transducer Usually, the number of physical pixels (photodiodes) exceeds the
attack. In contrast, in post-transducer signal injection attacks, the maximum resolution of the captured frames. The additional pixels
signal is induced in any component after the sensing part, for exam- do not directly contribute to the final images. However, they provide
ple, into a wire connecting the transducer and the microcontroller, useful supplementary information, such as color information, and
via electromagnetic coupling [44]. For cameras, which have become help to determine the boundaries of the frames.
a popular target due to their widespread use, pre-transducer attacks As described earlier, the longer the photodiodes are exposed to
using optical radiation as the attack vector are the most obvious incident light, the brighter the resulting image. To capture enough
route to go. For instance, shining a laser at the camera of a vehicle signal charge in low light conditions, the auto-exposure mechanism
is a cheap and effective attack to render its ADAS useless [20, 45]. of the camera adjusts the exposure time to an optimal value. Once
With a little more effort, the rolling shutter mechanism in CMOS sufficient signal charge is accumulated, i.e., the integration period
image sensors can be exploited to execute a more controlled signal finished, the signal charge is read out by the scanning element and
injection attack [17, 23]. Although exploiting the rolling shutter is transferred to the measurement unit, which will be discussed next.
less disruptive than fully blinding the camera, using visible light will
always be suspicious and, potentially, be easily detected [31]. More-
over, the attack is bound to row-wise injections and therefore only 3.2 Scanning Element
allows coarse perturbations [17, 23]. In addition, signal injection The scanning element is responsible for recovering the signal charge
attacks involving optical emission require line-of-sight between from the photodiodes and the transmission to the measurement unit.
the adversary and the target camera. In contrast, leveraging elec- In an Interline-Transfer-CCD (IT-CCD) image sensor, the scanning
tromagnetic waves as the attack vector gives the adversary precise element is composed of multiple shift registers, which are arranged
control over the perturbation from outside the line-of-sight. In fact, horizontally and vertically and thus are often referred to as H-
with the appropriate equipment, manipulating the signal charge CCD and V-CCD. A simplified schematic representation of such
of individual pixels is possible. In this paper, we present a novel an image sensor is depicted in Figure 1a. Once the integration
post-transducer signal injection attack that enables an adversary to period for a frame is completed, the generated signal charge is
obtain such a capability by exploiting the architectural structures of shifted from the photodiodes into the V-CCDs. For this reason,
CCD image sensors using an off-the-shelf software-defined radio. the horizontal and vertical CCDs can also be seen as a memory
buffer [19]. With the shift of the signal charge into the V-CCD, the
3 IMAGE SENSOR FUNDAMENTALS new integration period starts. While the new frame is captured,
Independent of the image sensor architecture, i.e., CMOS or CCD, the signal charge is simultaneously shifted row by row into the H-
the fundamental components of an image sensor are the same. CCD, before it is measured and amplified by the measurement unit.
All image sensors have a sensing part that captures the incident Figure 2 illustrates the readout process of an Interline-Transfer-
light, a scanning element that is responsible for the recovery of the CCD. Although CCD image sensors implement a global shutter —
generated signal charge, and a measurement unit that quantifies meaning the exposure and signal recovery happens all-at-once —
and amplifies the signal charge. The main difference between CMOS the digitization is still a sequential process. This means that the
Signal Injection Attacks against CCD Image Sensors

analog-to-digital converter (ADC) samples the pixels one-by-one, We assume the attacker can approach the target close enough to
starting with the pixel at (0,0). mount an attack, for some given transmission power, but since it is
an electromagnetic attack, line-of-sight is not required.
However, under no circumstances can the attacker access the
3.3 Measurement Unit video output of the target camera. Hence, no synchronization be-
tween the attack signal and the camera readout is possible. As we
As the name indicates, the measurement unit is responsible for
discuss later, this condition substantially limits the fidelity with
quantizing and amplifying the captured signal charge per pixel.
which an attacker can recreate an image at the target; however, we
The measurement unit usually consists of an ADC and an amplifier.
argue that it is by far the most realistic case.
The ADC samples the analog signal, in the case of the image sensor
the signal charge of each pixel, and maps it to a discrete value,
usually ranging between 0 and 255. The exact range depends on 5 SIGNAL INJECTION ATTACK
the resolution of the ADC. A higher resolution means that the Normally, a sensor should only react to the one specific physical
analog signal can be mapped to more discrete values. The higher stimulus it is intended to capture. In the case of an image sensor this
the amplitude of the continuous signal, the higher the discrete stimulus is light and the result is the generation of signal charge
value the sample it is mapped to. Intuitively, higher distinct values from photodiodes, which is then measured and digitized.
represent a higher brightness. As described before, in poor ambient It is typical for electronic devices to display some susceptibility
light conditions, the exposure time has to be extended to capture to electromagnetic interference, wherein incident electromagnetic
enough light. However, depending on the purpose of application, it radiation induces a voltage in components or connections within
might not be possible to increase the exposure time further. Once the device. In an image sensor, this may lead to the charge that
the integration time is longer than 1/𝐹 seconds, where 𝐹 is the frame was originally accumulated by the photodiodes subsequently being
rate of the camera, the frame rate drops. In such a case, to still be altered by additional charge due to induced voltages in downstream
able to compensate for poor ambient light while ensuring a stable components.
frame rate, the automatic gain controller (AGC) integrated with the The image sensor itself cannot determine whether the signal
measurement unit increases the analog gain used to amplify the charge was generated by the photodiode array or resulted from elec-
measured signal charge. tromagnetic interference that coupled onto the circuit. A malicious
In contrast to CMOS image sensors, where each individual pixel actor could leverage these factors and emit electromagnetic waves
is equipped with a measurement unit, the signal charge in CCD at the resonant frequency of elements within the target CCD im-
image sensors is shifted through various components before it is age sensor to induce a voltage and subsequently alter the captured
quantized and amplified. As a result, there are more places where image information.
interference can occur. This means that any noise that occurred Our hypothesis is that, due to their architecture, CCD image sen-
before the amplification, such as dark current shot noise, is also sors are particularly susceptible to the effects of such post-transducer
amplified. As a result, a voltage induced by electromagnetic inter- signal injection attacks. Three main architectural factors contribute
ference will also be amplified, making CCD image sensors more to this:
susceptible to interfering signals [19].
(1) long signal charge pathway – each of the components
through which signal charge is shifted may be affected by
4 THREAT MODEL incident electromagnetic radiation to facilitate signal injec-
tion
The overarching goal of the adversary is to spoof the image infor- (2) amplification of signal charge – increasing the effect of
mation captured by a CCD image sensor using electromagnetic injected signals prior to amplification
interference. Depending on the scenario, the attacker may wish to (3) serialization of pixels for digitization – meaning that
inject adversarial examples in order to disrupt vision-based intelli- injected signals can be targeted to single pixels
gent systems for object detection or identification. Alternatively,
they may wish to degrade raw images as captured by microscopes Figure 3 illustrates the attack being used to inject the ACM logo
or astronomical instruments, to harm research efforts. In a surveil- into an otherwise empty image. The addition of a malicious signal
lance context, the goal may be to distort images such that further above the legitimate signal can be seen, along with impairments in
malicious behavior is not recorded accurately. image reproduction due to lack of synchronization.
We assume that the attacker has knowledge of the target device, The amount of maliciously induced signal charge depends on the
sufficient to find technical specifications of the image sensor from received power of the attack signal. Intuitively, a physical signal
a datasheet and access an independent unit to profile for effective with higher amplitude induces a greater voltage, which in turn
signal injection frequencies. increases the brightness of the resulting frame. The received power
We assume the adversary has access to off-the-shelf equipment, is influenced by many factors, such as the attacker’s transmission
such as software-defined radios, amplifiers and antennas. The at- power, the distance, losses during propagation and the efficiency
tacker’s equipment is assumed to be powerful enough to generate of coupling within the image sensor components. As not all factors
and modulate an attack signal sufficiently quickly to match the are under the attacker’s control, they can primarily enhance the
performance of the targeted image sensor. We also presume that effects of the attack either by increasing their transmission power
the attacker is capable of generating an arbitrary attack signal. or reducing their distance to the target.
 Sebastian Köhler, Richard Baker, and Ivan Martinovic

Figure 2: Illustration of a readout of the generated signal charge from an IT-CCD with Bayer color filter array.

Malicious Signal Charge Legitimate Signal Charge in other words to one pixel. The attacker can calculate the readout
o
Analog Signal

rate for the sensor from datasheet values, or empirical testing, and
Cm adjust their transmission rate accordingly. However, it is important
to note that while the attacker can match the rate, they cannot
Cl synchronize the attack signal to the readout signal in absolute terms
— as, per our threat model, they have no feedback channel for this
t
information. This gives rise to a time offset error 𝑜, between the
injected signal and the legitimate signal. The offset error manifests
variously as a translation within the frame to the offset coordinates
Resulting Frames

𝑥ˆ and 𝑦,
ˆ a dispersion of intensity across adjacent pixels and as a color
ŷ distortion due to color channels being misaligned. We elaborate on
this below.

x̂
5.1 Attack Execution
Executing a signal injection attack against a CCD image sensor can
Frame n − 1 Frame n be separated into three steps. In this section, we will give a detailed
overview of the necessary tasks.
Figure 3: Detailed illustration of how the signal injection at- In general, any arbitrary data can be modulated onto a carrier
tack affects the capturing of frames. The upper part shows wave and induced into the image sensor. In the simplest case, Gauss-
the signal charge in the time-domain before it is digitized. ian white noise can be injected in order to apply random pertur-
After the time offset 𝑜, the attack signal couples onto the im- bations to the image. However, to demonstrate the possibilities of
age sensor, increasing the amplitude of the legitimate signal the attack, we will describe in the following the injection of data in
charge 𝐶𝑙 by the malicious amplitude 𝐶𝑚 . The lower part of the format of an RGB image, as Figure 3 depicts. The content of the
the figure shows the resulting frames. Due to the misalign- injected image can be arbitrary and suited to the scenario, perhaps
ment 𝑜 between the readout and the malicious signal, the comprising recognizable patterns or barcodes, masking patterns,
induced noise is offset by 𝑥ˆ and 𝑦.
ˆ As a result, the distortion or adversarial examples.
is stretched along two consecutive frames.
Signal Generation. The origin of the attack signal is a source
image of known width and height in RGB format (i.e., three color
channels: red, green, blue). In the context of this paper, each pixel
Since the signal charge is amplified and quantized at the last
of the input image corresponds to one symbol of the attack signal.
step of the readout process, the maliciously induced signal is also
The pixels are read sequentially from the source image, with an
amplified. Under attack, the total brightness of a pixel, represented
order corresponding to the readout order from the target device.
by luma 𝑌 , is the sum of the legitimate signal and the additional
The brightness of the source pixel dictates the amplitude of the
induced voltage, and can formally be expressed as:
modulated attack signal, such that the relative brightnesses are
recreated at the target. In case the resolution of the input image is
𝑌 = 𝛼 (𝐶𝑙 + 𝐶𝑚 ), (1) smaller than the resolution of the target image sensor, padding has
where 𝛼 is the amplifier gain set by the image sensor, 𝐶𝑙 the signal to be applied to the attack signal. No signal charge is intended to be
charge captured by the sensing part and 𝐶𝑚 the maliciously induced induced for missing pixels, so the amplitude for these pixels is set
signal. It is important to note that the attacker cannot produce a to zero. Likewise, if the input image has a transparent background
negative value of 𝐶𝑚 and can thus only increase the brightness (alpha channel), the amplitude for transparent pixels is set to zero.
of a pixel. Furthermore, the range of the ADC places a cap on the As briefly mentioned in Section 3.1, each photodiode only cap-
usable values of 𝑌 , so if the legitimate signal already saturates the tures the incident light for one wavelength (color). Assuming that
brightness, then an induced signal cannot brighten it further. the photodiode at (0,0) only captures light with a wavelength of
In order to gain fine-grained control over the injected noise, the around 520 nm (green), injecting a malicious signal into the image
attack signal has to be modulated at a rate equal to the readout sensor, while this photodiode is sampled, would intensify the green
rate of the image sensor. This means, one symbol of the attack color channel of the pixel in the final frame. Since it is not possible
signal corresponds to exactly one sample of the image sensor, or to reliably stimulate a specific color channel (owing to the lack
Signal Injection Attacks against CCD Image Sensors

Extracted Signal
Interpolation

f(x)
Row 1 Row 2 Row n − 1 Row n
Input Image
Carrier Wave
x
Modulated Attack Signal

Figure 4: Overview of the necessary steps to generate a malicious attack signal. First, the signal to be transmitted is extracted
from the input image by calculating the luminance 𝑌 for each pixel. Second, the extracted signal is interpolated to ensure
the different sample rates match. Finally, the interpolated signal is modulated onto the carrier wave and transmitted via the
software-defined radio.

the readout rate is determined by the sample rate of the digital-to-

analog converter. If the symbol rate of the attack signal does not
match the readout timings of the image sensor, the injected noise
will drift over consecutive frames.
In some cases, the exact sampling rate of the analog-to-digital
converter can be obtained from the datasheet of the target camera or
image sensor. Sometimes, however, such detailed information is not
(a) Frame 𝑛 − 1 (b) Frame 𝑛 available and must be calculated instead. The resolution of image
sensors is usually specified by two different numbers — effective
Figure 5: Two consecutive example frames captured by the and total number of pixels. Effective pixels represent the number of
DFM 25G445-ML during the emission of random noise. Due pixels that are exposed to incident light and used to capture image
to the wrong sample rate, the injected noise is drifting, caus- information. In contrast, the number of total pixels specifies the
ing the stimulus of different photodiodes. As a result, the physical size of the image sensor, i.e., the number of photodiodes.
color of the injected noise changes between consecutive Usually, the pixels around the edges are light-shielded and used to
frames. determine the edges of the captured images, as well as to capture
some additional color information about the scene necessary for
color calibration. Since the image sensor reads out all pixels, the
of synchronization between the attack and the readout signal), an number of total pixels has to be used for the calculation. Based on
attacker can avoid the issue by instead seeking to induce different these facts, the required sample rate can be calculated as follows:
light intensities. While averaging the intensities of the three color
channels can be used to get a rough estimate of the intensity of a 𝑆 = 𝑁 columns · 𝑁 rows · 𝐹, (3)
pixel, it does not consider the color distribution. As a result, fine- where 𝑁 columns is the width, 𝑁 rows the height and 𝐹 the frame rate
grained details in the injected image, such as edges, would be lost. of the image sensor.
To overcome this issue, we propose to convert the input RGB image For software-defined radio transmitters, arbitrary sample rates
into its grayscale version. This means, the attack signal amplitude may not be possible and hence the attack signal must be appro-
is represented by the linear luminance 𝑌 , which can be calculated priately resampled to match the transmission rate, using standard
using the following equation: interpolation methods.
It should be noted that with increasing frame rate and resolution,
0.2126𝑅 + 0.7152𝐺 + 0.0722𝐵 the required sample rate of the software-defined radio is increasing
𝑌 [𝑥, 𝑦] = (2)
255 too. Depending on the target camera, this may increase the difficulty
with 𝑥 and 𝑦 being the coordinates of the pixel, R, G and, B as the for the attacker to inject fine-grained distortions. Figure 5 shows
intensities of the respective color channels, the Luma coefficients the results of under- and oversampling, as a direct reproduction of
selected based on the Rec. 709 standard [36], and a normalization the output image from the camera1 .
factor to ensure the value remains in the appropriate range. It
should be noted that the attack signal does still stimulate different Transmission. Once the signal has been extracted and interpo-
color channels, and thus the injected distortion will not appear in lated, it can be transmitted. Given that the amplitude of the attack
grayscale. signal determines the amount of electric charge induced into the
image sensor, the input image is modulated onto the carrier wave
Resampling/Interpolation. The modulated symbol rate required using amplitude modulation. An end-to-end representation of the
to inject arbitrary image information without skipping the readout three attack steps is depicted in Figure 4.
of some pixels is important. Ideally, the symbol rate of the attack
signal should match the readout rate of the image sensor. Usually, 1 For clarity in print, artificially brightened versions are also given in Appendix B
 Sebastian Köhler, Richard Baker, and Ivan Martinovic

EMI Shielded Box

colored due to the various types of noise, such as readout and dark
Software-defined Radio current shot noise, generated by the camera itself [14, 42].
Camera
The shielded box provides only an RS232 port for cable pass-
through, so in order to connect the cameras to the PC, we routed the
Ettus Research
RF 1 RF 2
USRP N210

POWER
connections via shielded RS232 adapters. For the DFM 25G445-ML
A D

we used an RJ45 to RS232 adapter, while the analog CCTV camera

B E
C F
REF
CLOCK IN MIMO EXPANSION GB ETHERNET DC 3A

was connected via an RS232 breakout adapter.

Figure 6: Experimental setup used for our evaluation. The To measure the impact of any given attack signal, we captured a
camera was placed inside an EMI shielded box to prevent series of video frames with the attack signal off (“legitimate frames”)
interference with and from other devices. or on (“malicious frames”). We collected three legitimate frames
and seven malicious frames. The frames were then compared using
the Structural Similarity Index Measure (SSIM) [39]. The SSIM
compares two images and results in a high value if they are similar
6 EVALUATION
or a low value if they are dissimilar2 . As each camera under test
We evaluated the susceptibility to intentional electromagnetic in- was observing a controlled scene, any dissimilarity in the output
terference of two different CCD image sensors. In this section, we image can be considered the result of the injected attack signal
describe our method and present the results. (along with a small amount of random sensing noise). Indeed, for
consecutive legitimate frames, the SSIM remained consistently high
6.1 Experimental Setup and close to a value of 1.0 (only dipping below due to sensing
We arranged equipment to examine the effects of interference sig- noise). Each malicious frame was compared with each legitimate
nals on CCD cameras. An overview of the experimental setup is frame to produce 21 SSIM values and the mean value taken. This
given in Figure 6. The camera under test was placed inside an RF averaging not only reduced the effect of sensing noise, but also
shielded box, along with the transmission antenna, at a fixed dis- that of injected distortions affecting each frame differently due to a
tance 𝑑. The camera was connected to a desktop PC, to capture lack of synchronization. Along with the SSIM, other image quality
the image output. The attack transmitter was an Ettus Research metrics were collected and are presented in Appendix A. We focus
USRP N210 software-defined radio, driven over Ethernet by the on the SSIM throughout this evaluation, noting that the results
same desktop PC, running Ubuntu 18.04 and GNURadio 3.8. The of each metric were similar and would only influence parameter
USRP was equipped with an UBX-40 daughterboard, which pro- values rather than any procedural change.
vides a maximum output power of 100 mW [22]. The antenna was
an omnidirectional monopole exhibiting 3 dBi gain and optimised 6.2 Carrier Frequency 𝑓𝑐
for transmission at 900 MHz. Components within the image sensor will be most susceptible to
Two different CCD cameras were tested, namely a DFM 25G445- signal injection near their resonant frequencies. While it is theoreti-
ML and a 420TVL CCTV board camera [3]. The DFM 25G445-ML cally possible to model and calculate the likely resonant frequencies
is a professional GigE color board camera used in a wide variety of for a target image sensor, many factors influence the calculation,
applications, for instance industrial automation, quality assurance making it non-trivial and error-prone. In this section, we describe
and surveillance [28], and is equipped with a Sony ICX445AQA im- empirical testing used to determine the most effective carrier fre-
age sensor [27]. This camera was directly connected to the desktop quency for the two tested cameras.
PC via a shielded Ethernet cable (S/FTP). In contrast, the CCTV
board camera uses an unspecified 1/3 ” CCD Sony image sensor 6.2.1 Method. We captured video frames while performing a fre-
and only provides an analog composite video output. Such analog quency sweep with the transmitter; ranging the carrier frequency
image sensors can often be found in older CCTV cameras or cheap from 50 to 5000 MHz in a step size of 1 MHz. At each step, the trans-
drones. The analog image output was passed through a VHS-to- mitter modulated a 1 kHz sine wave onto the carrier at a sample rate
USB capture device [2] to digitize the video signal before it was of 25 MSPS. For this experiment, the antenna distance 𝑑 was set at
delivered to the PC. approximately 3 cm and the output power of the software-defined
The use of an RF shielded box ensured that the experiments were radio was set to the maximum (20.1 dBm, ∼100 mW).
not corrupted, either by outside signal sources, or by the attack For both cameras, the settings were set to auto, which means the
signal affecting components downstream of the CCD camera itself. exposure time and gain were automatically set by the camera itself.
Its presence also ensured that we were compliant with relevant Ten frames were captured (three legitimate, seven malicious)
regulations on use of radio spectrum. To validate that the attack and compared using the SSIM metric, as described above. The most
signal was not induced into downstream components, such as ca- effective carrier frequency was selected based on the smallest SSIM
bling or the VHS-to-USB capture device, we tested the attack with value. In other words, the frequency that caused the smallest SSIM
the camera switched off, in which case no effects were observed. values must have induced the most significant perturbations. On
The RF shielded box also provided a controlled lighting environ- the other hand, an ineffective carrier frequency did not induce any
ment, providing a dark scene that was not affected by variations in signal charge and led to high SSIM values similar to those measured
ambient light outside. This allowed a more accurate measurement between legitimate frames.
of the impact of the attack. Under normal operation all the captured 2 Thesource code for our evaluation is available at https://github.com/ssloxford/ccd-
video frames were almost entirely black. Only some pixels were signal-injection-attacks
Signal Injection Attacks against CCD Image Sensors

6.2.2 Results. The results of the frequency sweep for both cam- them. However, as the gain increases, the noise floor in the captured
eras, the DFM 25G445-ML and the analog CCTV board camera, are frames increases, resulting in a lower structural similarity, even
visualized in Figure 7. As the graphs show, the most effective carrier between legitimate frames. To circumvent this issue and to facilitate
frequency was 190 MHz for the DFM 25G445-ML and 341 MHz for the comparison of the results, we calculated the change in SSIM
the analog CCTV board camera. At these respective frequencies values, Δ SSIM:
the distortion level was comparable for each camera, with SSIM
values below 0.4 in both cases. However, the range of effective Δ𝑆𝑆𝐼𝑀 = 𝑆𝑆𝐼𝑀𝑙𝑒𝑔𝑖𝑡𝑖𝑚𝑎𝑡𝑒 − 𝑆𝑆𝐼𝑀𝑚𝑎𝑙𝑖𝑐𝑖𝑜𝑢𝑠 . (4)
frequencies was different in each case. For the DFM 25G445-ML,
a wide range of frequencies had a noticeable effect on the image, where 𝑆𝑆𝐼𝑀𝑙𝑒𝑔𝑖𝑡𝑖𝑚𝑎𝑡𝑒 is calculated among legitimate frames only
while the analog camera exhibited only a small range of effective and 𝑆𝑆𝐼𝑀𝑚𝑎𝑙𝑖𝑐𝑖𝑜𝑢𝑠 is measured between legitimate and malicious
frequencies. For both cameras, the highest SSIM values were al- frames. This approach makes it easier to identify the additional
ready quite low, below 0.8 consistently. This is due to the cameras interference caused by the signal injection attack.
being set in auto mode, causing them to increase exposure and gain 6.3.2 Results. As can be seen in Figure 8a, for a high image sensor
settings in an attempt to compensate for the dark environment in gain, the signal strength of only -2.1 dBm was sufficient to induce
the shielded box. The impact of sensing noise is increased under a malicious signal charge into the CCD image sensor of the DFM
these circumstances. 25G445-ML. The results indicate that under such advantageous
These results indicate that an attacker could inject a malicious conditions for the adversary, increasing the transmission power to
signal for either camera and affect the output image substantially. 20.1 dBm (∼100 mW) can induce considerable noise.
The freedom for an attacker to select a convenient transmission Remarkably, however, the output power of the USRP was even
frequency depends on the target camera. enough to cause distortions when the amplifier of the measurement
Due to space constraints and the option to precisely control the unit was switched off. This suggests that the attacker is not reliant
camera parameters, such as exposure and gain, which allows us to upon vulnerable configuration within the target camera, as long
evaluate the attack under controlled conditions, the rest of the paper as they are able to increase their transmission power to compen-
will focus on the evaluation and results of the DFM 25G445-ML. sate. Indeed, increasing transmission power, rather than relying on
Nevertheless, since we know that the analog CCTV board camera high image sensor gain, is beneficial for the attacker. We observed,
is also vulnerable to signal injection attacks under the same attack somewhat surprisingly, that with the highest image sensor gain of
settings, the following findings will be applicable to it too. 29, the injected noise level was lower than with a gain of 25. This
was because at such a high gain, the low level sensing noise was
6.3 Transmission Power amplified such that it already saturated some pixels — making it
The transmission power of the malicious signal is a decisive factor impossible to further increase the signal charge for these pixels
for the success of the attack. Depending on the environment, target via the signal injection attack. Instead, if the gain is kept low, the
camera and its settings, the minimum required power varies. In attacker inject their signal with a high signal-to-noise ratio.
this section, we present an analysis of the relationship between
signal strength and the amount of induced distortions for the DFM 6.4 Attack Distance
25G445-ML. While the attack signal propagates through space, it is attenuated.
6.3.1 Method. To determine the minimum required transmission Therefore, the effect of the attack diminishes with increasing dis-
power under different settings and to evaluate the relationship tance between the target camera and the malicious transmitter. In
between the required output power and the amount of perturba- the following, we evaluated the feasibility of the attack for different
tions, we tested the DFM 25G445-ML at a fixed distance of 3 cm distance settings.
from the transmitting antenna. In accordance with the results of 6.4.1 Method. We used the same experimental setup as described
the frequency sweep, we set the carrier frequency to 190 MHz and previously and depicted in Figure 6. However, this time we fixed
then varied the transmission power from -6.8 dBm to 20.1 dBm the transmission power of the USRP to the maximum (20.1 dBm,
(output power at 𝑓𝑐 = 190 MHz as measured with an oscilloscope). ∼100 mW) and only varied the distance between the camera and the
We repeated the experiment for a range of camera gain settings. transmitting antenna. We emitted a sine wave with a frequency of
Under real-world conditions, the ambient lighting of the environ- 1 kHz that was modulated onto a carrier wave with 𝑓𝑐 = 190 MHz.
ment would influence the exposure and gain settings of the camera. In line with previous experiments, we collected three legitimate
However, there is an upper limit on the exposure value that can be and seven malicious frames for each distance setting. Due to the
used without reducing the frame rate. In low light level environ- size limitations of the shielded box, we had to restrict the evaluated
ments, for example indoors with only artificial lighting, it is highly distances to 3, 10, 20, and 50 cm. Again we calculated Δ SSIM
likely that a camera will increase the gain of the amplifier in the between legitimate and malicious frames.
measurement unit to compensate for the low ambient brightness.
For all experiments the exposure time was set to the smallest possi- 6.4.2 Results. Consistent with our expectations, Figure 8b shows
ble value (10 𝜇s), but the gain values ranged from 0 to 29 (unitless that, as the distance between the target and the transmitter in-
values as offered by the camera control software). creased, the amount of induced signal charge decreased. The re-
As with the previous experiments, we collected ten frames, three sults indicate that the transmission power of the USRP without
legitimate and seven malicious, and calculated the SSIM between an amplifier is not sufficient to inject distortions into the frames
 Sebastian Köhler, Richard Baker, and Ivan Martinovic

0.8 0.8

0.6 0.6
SSIM

SSIM
0.4 0.4 341MHz
190MHz

0.2 0.2
50 1000 2000 3000 4000 5000 50 1000 2000 3000 4000 5000
Frequency fc (MHz) Frequency fc (MHz)

(a) DFM 25G445-ML (b) Analog CCTV board camera

Figure 7: Results of the frequency sweep. The SSIM represents the similarity between the frames captured during normal
operation and while an attack signal at the carrier frequency 𝑓 c was emitted.

0 5 10 15 20 25 29
𝜆
0.4 𝑃𝑟 = 𝑃𝑡 + 𝐺𝑡 + 𝐺𝑟 + 20 log10 ( ), (5)
4𝜋𝑑
∆ SSIM

where 𝑃𝑡 is the transmission power of the attack signal in dBm,

0.2 𝐺𝑡 and 𝐺𝑟 are the antenna gains of the transmitting and receiving
antennas in dBi and 𝜆 is the wavelength corresponding to the
selected carrier frequency 𝑓𝑐 .
0.0
Interestingly, the amount of induced noise from 20 cm away
-6.8 -2.1 2.8 7.7 12.7 16.5 20.1
exceeded the amount coupled onto the circuit from a distance of
Transmission Power Pout (dBm)
only 10 cm. This result can be explained by the fact that the antenna
(a) SSIM vs. Transmission Power 𝑃𝑜𝑢𝑡 was aligned at a different angle to the camera, i.e., the camera was
placed slightly outside the radiation pattern of the antenna.
0.4
6.5 Evaluation of CMOS Image Sensors
∆ SSIM

0.2 Our hypothesis is that CCD image sensors are vulnerable to in-
tentional EMI due to their architecture. As elaborated in Section 3,
the single measurement unit makes CCD image sensors more sus-
0.0 ceptible to noise. In contrast, CMOS image sensors that have a
3 10 20 50
measurement unit in each pixel would not be expected to be as
Distance (cm) susceptible, since the EMI has less opportunity to couple onto the
(b) SSIM vs. Distance
image sensor before the amplification process. We conducted an
experiment to verify this expectation.
Figure 8: Evaluation results for different camera gain set- 6.5.1 Method. We repeated the carrier frequency experiment de-
tings. The upper part depicts the relationship between the scribed in Section 6.2, using two CMOS cameras instead of CCD
transmission power 𝑃𝑜𝑢𝑡 and the amount of noise induced units. We tested a Logitech C922, a widely used webcam, and an
into the DFM 25G445-ML from a fixed distance of 3 cm. Axis M3045-V semi-professional dome surveillance camera. As with
The lower part illustrates how the injected noise diminishes the CCD cameras, we specifically chose these cameras based on
with increasing distance between the camera and the trans- their capability to manually adjust camera settings such as gain and
mitter for the maximum transmission power of 20.1 dBm. exposure. For each camera we selected an attack distance of 3 cm
and performed a carrier frequency sweep from 50 to 5000 MHz
with a step size of 1 MHz, while modulated by a 1 kHz sine wave.
We again captured three legitimate and seven malicious frames and
from more than 50 cm away. In such a setting, not even a high cam- computed the SSIM values.
era gain, the most beneficial setting for the adversary, is enough
to cause substantial image distortions. While this represents the 6.5.2 Results. In Figure 9, the results of the frequency sweep for the
limits of our experimental setup, higher received power could be two tested cameras are presented. As expected, the SSIM values for
stimulated straightforwardly by an attacker, in order to improve both cameras are consistently high, except for a few occasions for
the range of the attack — either by increasing transmission power the Logitech C922. We inspected and tested the carrier frequencies
or employing a directional antenna with higher gain. Based on the for the unexpectedly low SSIM values manually to investigate if
same assumptions as in [16], we can utilize the Friis transmission signal injection attacks at these frequencies would be possible.
equation to roughly estimate the requirements for an attack at a However, all attempts were unsuccessful. We suspect that the reason
certain distance 𝑑: for these outliers was most likely a problem in the communication
Signal Injection Attacks against CCD Image Sensors

1.0 1.0
2527MHz
3229MHz 3711MHz
SSIM

SSIM
0.8 0.8

0.6 0.6
50 1000 2000 3000 4000 5000 50 1000 2000 3000 4000 5000
Frequency fc (MHz) Frequency fc (MHz)

(a) Axis M3045-V (b) Logitech C922

Figure 9: Results of the frequency sweep for the two tested cameras with CMOS image sensors. The SSIM represents the
similarity between the frames captured during normal operation and while an attack signal at the carrier frequency 𝑓 c was
emitted.

and cityscape identifiable to the human eye3 . To demonstrate the

possibilities of such fine-grained injections, we uploaded the frame
with the injected logo to the Google Cloud Vision API [9], which
correctly recognized the text “ACM ASIACCS 2022”. The output
from the API request is depicted in Figure 19 in the Appendix.

6.7 Use Case: Barcode Scanning

To illustrate an end-to-end attack, we consider the case of auto-
mated barcode scanning in manufacturing or logistics. One major
advantage of CCD image sensors is the global shutter behavior,
Figure 10: Example of a signal injection attack, illustrating meaning that all pixels are exposed and read out at the same time,
the fine-grained control an adversary can gain over the cap- allowing the capture of images that are free from geometric distor-
tured frame. tion, even when moving quickly. For this benefit, in combination
with their high sensitivity, CCD image sensors can often be found
in cameras used for barcode scanning in warehouses [13, 41]. This
process plays a crucial role in tracking items through industrial
between the camera and the PC it was connected to. The results processes and accounting for inventory. We consider an attack that
indicate that the tested CMOS image sensors are not susceptible seeks to remotely disrupt the performance of the barcode scanning,
to electromagnetic emanation. At the same time, they also confirm thereby either inhibiting the efficient flow of tracked items or cor-
our hypothesis that signal injection attacks against CCD image rupting the inventory management of the facility. As automated
sensors are uniquely a product of their architecture. This does not CCD barcode scanners often handle hundreds of barcodes per sec-
necessarily rule out other EMI attacks on CMOS image sensors ond [1], even a short attack can quickly impact a large number of
under different circumstances, but we consider that to be beyond items.
the scope of this paper. Scanning a barcode relies on the color contrast between bright
and dark bars. In this section, we show how a malicious signal can
6.6 Fine-Grained Control break this contrast and cause the barcode reading to fail.

In this section, we show how an adversary can exploit fine-grained Experimental Setup. Similar to the experimental setup in the pre-
control over the captured image information. vious section, we placed the DFM 25G445-ML in the RF shielded
box 3 cm away from the transmitting antenna. However, addition-
6.6.1 Method. We replicated the experimental setup as previously ally, we placed a cardboard box with two barcodes together with
described and depicted in Figure 6. The camera was placed 3 cm a light inside the box. The camera parameters were set to match
away from the transmitting antenna, and the image sensor gain the settings that would be chosen by the automatic exposure and
was set to 29. We then executed the attack by following the steps automatic gain control for an indoor environment with artificial
described in Section 5. In the case of the DFM 25G445-ML, it was ceiling lighting, as it can be found, for instance, in a warehouse. To
easy to infer from the datasheet that the sample rate of the underly- be more precise, we tested exposure times ranging from 20,000 𝜇s
ing Sony ICX445AQA image sensor is 36 MHz. Based on the earlier to 33,000 𝜇s and image sensor gains from 0.0 to 8.7. The camera was
results, the transmission was made with 𝑓𝑐 = 190 MHz and peak connected to a PC running a Python script that captured frames
transmission power of 20.1 dBm. with a frame rate of 30 FPS. The captured frames were analyzed

6.6.2 Result. The resulting frame is shown in Figure 10. The banner 3 Forclarity in print, we give an artificially brightened version of the image in Appen-
image for the AsiaCCS 2022 conference is visible, with both the text dix B.
 Sebastian Köhler, Richard Baker, and Ivan Martinovic

frames, captured during normal operation and while emitting the

attack signal, are depicted.

7 LIMITATIONS
In this section, we provide an overview of the limitations of our
evaluation and the signal injection attack itself.

(a) Normal operation (b) Under attack 7.1 Evaluation Limitations

In this paper, we presented the first approach of a post-transducer
Figure 11: Example frames from the barcode scanner cap- signal injection attack against CCD image sensor to raise the aware-
tured by the DFM 25G445-ML. The left frame was captured ness about such attacks and their potential impact. However, our
during normal operation, while the right frame was col- evaluation has some limitations.
lected during the transmission of a malicious signal. The in- First, we evaluated the signal injection attack on two different
jected noise is barely noticeable, but causes the detection of commercial off-the-shelf cameras equipped with CCD image sen-
the barcodes to fail. sors. However, as mentioned earlier, CCD image sensors are often
used in scientific, professional, or even military applications. Al-
though we believe that the results of this paper are applicable to any
Normal Operation Attack other CCD image sensor, it is not guaranteed that image sensors
used in such specialized applications will not be better protected.
Detection Rate (%)

Exposure = 20000µs Exposure = 28000µs Exposure = 33000µs Second, as described in Section 6.1, we only had access to a small
100
75
RF shielded enclosure. The dimensions of the box constrained the
setup of our experiments to short distances between the malicious
50
transmitter and the target camera. As a result, we only investigated
25
the attack success for short distances up to 50 cm. In addition,
0
0 4.7 6.7 8.7 0 4.7 6.7 8.7 0 4.7 6.7 8.7 we only tested the attack with a low output power of 100 mW
Camera Gain maximum to ensure that we comply with local regulations and
our signal does not interfere with any legitimate communication
Figure 12: Results of the automatic barcode scanning under channels.
different lighting settings.
7.2 Attack Limitations
The signal injection attack in its most basic approach, as it is pre-
for barcodes using the popular library pyzbar. If a barcode was sented in this paper, has some limitations that are difficult to work
detected, we stored the decoded data in a CSV file. For each param- around and have to be taken into account by the adversary.
eter configuration we collected 1,000 frames — 500 under normal Our threat model assumes that the adversary cannot access the
operation and 500 while emitting random noise at 𝑓𝑐 = 190 𝑀𝐻𝑧. video feed of the target camera. As described in Section 5, it is there-
The transmission power of the USRP was again set to the maximum fore not possible to synchronize the readout of the signal charge
(20.1 dBm). with the attack signal. This lack of synchronization introduces two
major issues. First, the injected perturbation appears at random
Results. The results of our experiments clearly show that in-
ˆ 𝑦),
locations (𝑥, ˆ making it impossible for the adversary to target
jecting random noise into a CCD image sensor used for barcode
specific parts of the frame. Second, as we showed in Section 5.1, it
scanning can substantially reduce the reliability of the scanning
is not possible to stimulate a certain color channel. Nevertheless,
system. In Figure 12, we present the results for different camera
depending on the intentions of the adversary, these limitations
settings. For the lowest selected exposure of 20,000 𝜇s and no addi-
might not be important. For instance, if the goal is to fool an object
tional amplification of the signal charge the captured frames were
detection algorithm, the attacker could draft adversarial examples
slightly underexposed. This led even during normal operation to
that are effective independent of the injected location [23]. We con-
a detection rate of only 50%. As such, it is not surprising that the
sider our assumptions realistic but limiting and highlight that if the
injected noise reduced the detection rate even further. However,
adversary could obtain synchronization, by monitoring the camera
increasing the exposure time and the gain improved the perfor-
output, they would enjoy far greater control over the final image.
mance under normal operation significantly, leading to a consistent
detection rate above 99%. At the same time, the attack effectiveness
diminished with increasing exposure time, and contrary to our 8 COUNTERMEASURES
expectations, for higher gains. This observation can be explained Countermeasures to protect sensors from signal injection attacks
by the increasing contrast between the white background and the can be divided into two categories — attack prevention and attack
black bars of the barcode. Nevertheless, under optimal settings, detection. In this section, we discuss various approaches for both
for instance, for 𝐸𝑥𝑝𝑜𝑠𝑢𝑟𝑒 = 20000 𝜇s and a gain of 8.7, the attack categories in the context of intentional EMI against CCD image
caused the detection rate to drop to 1%. In Figure 11, two example sensors.
Signal Injection Attacks against CCD Image Sensors

8.1 Attack Prevention architectures making them very expensive. Producing a dummy
The prevention of intentional EMI is challenging and can often be sensor with the exact same properties will almost certainly not only
seen as an arms race between the defender and the attacker. double the size, but also the price. Finally, it is not guaranteed that
the resonant frequency of the dummy sensor matches the one of
8.1.1 Shielding. The most obvious solution to prevent a malicious the original sensor.
signal from coupling onto the image sensor circuit is shielding.
However, sensors that have to interact with their surroundings 8.2.2 Modulating the Sensor. The detection mechanism PyCRA
are not easy to shield. For example, in the case of an image sen- proposed by [24] is another promising approach to detect signal
sor, light has to reach the photodiode array. While it is possible injection attacks. The idea is similar to the previously described
to add a fine metallic mesh in front of the sensing part, it dimin- dummy sensor. If an active sensor, i.e., a sensor with an emitter
ishes the quality of the captured frames and only provides limited and a sensing part, for example, a Light Detection and Ranging
protection. Furthermore, shielding affects the airflow and the ther- (LiDAR) sensor, does not emit a signal, the sensing part should not
mal dissipation. This is especially disadvantageous for CCD image be able to measure a response. If this is still the case, the probability
sensors since higher temperatures cause the generation of more that the signal is not authentic is relatively high and an alarm
dark current [42]. Moreover, retrofitting the camera with additional can be raised. The disadvantage of this method is that it is tied to
shielding is expensive, time-consuming, and potentially not even active sensors. To circumvent this limitation, [48] introduced the
possible. Finally, shielding cannot fully protect from malicious elec- idea of sensor modulation. A passive sensor only senses a physical
tromagnetic waves. Although shielding does attenuate the induced property and outputs a voltage when it is powered. If the sensor is
signal, the effectiveness depends on the thickness of the shield [32]. switched off, no voltage should be present on the sensor output and
A sophisticated adversary with powerful equipment might still be the microcontroller should measure 0 V. For both of the discussed
able to emit a signal that can penetrate the shielding and couple detection mechanisms, it is impossible for an attacker to inject a
onto the target image sensor. malicious signal without being detected if the sensors or the emitter
are turned on and off in an unpredictable, random sequence.
8.1.2 Camera Redundancy. Another straightforward protection ap-
proach is the usage of multiple cameras. Ideally, the second camera 8.2.3 Adapting existing Detection Mechanisms. For the detection
is equipped with a different image sensor model to reduce the likeli- of post-transducer signal injection attacks against CCD image sen-
hood that its circuitry will respond to the same resonant frequency. sors, we can adapt the two aforementioned detection techniques.
Nevertheless, adding camera redundancy significantly increases Since image sensors do not have an emitter, we can only control the
the costs and provides only limited improvement in protection, as sensing part. However, the photodiode array is always on, which
the attacker can still target both image sensors. means a signal charge is generated as soon as light falls onto it.
Therefore, instead of turning the sensor on and off, we propose
8.2 Attack Detection reducing the exposure time of the image sensor to the lowest pos-
Recent academic research has proposed multiple approaches to sible value for the duration of a single frame in an unpredictable,
detect signal injection attacks against different types of sensors. In random sequence. Due to the very short exposure time, none or
comparison to attack prevention mechanisms, detection approaches minimal signal charge should be generated. As in [24] and [48], if
can often be implemented in software and are easier to deploy the sensor still captures a signal, then it is highly likely that the
retrospectively. voltage was caused by EMI coupling onto the circuit. The main
advantage of this method is that it can be implemented in software
8.2.1 Dummy Sensor. Similar to camera redundancy, the authors
and deployed retrospectively. Unfortunately, this approach also
in [35] proposed a kind of sensor redundancy. However, the second
has drawbacks. First, the low exposure time renders the captured
sensor, which should be placed directly next to the sensor to be
frame useless, which subsequently reduces the frame rate. Second,
protected, is only a so-called dummy sensor. It is a duplicate of
in environments with high ambient light levels, such as outdoors
the original sensor with exactly the same circuit and properties to
on a sunny day, even the shortest exposure time might generate
ensure that it responds to the same resonant frequency. However, it
signal charge. Finally, depending on the image sensor, the noise
does not have a sensing part. Therefore, no voltage can be generated
floor caused by dark current noise could be sufficient to trigger the
through an external, physical stimulus leading to a sensor output
detection mechanism.
of always 0 V. In case the microcontroller can measure a voltage
at the sensor output, the signal was potentially injected via a post-
transducer signal injection attack. Since the observed signal from 9 CONCLUSION
the dummy sensor is the raw attack signal, it can be used to correct We have shown that CCD image sensors can be susceptible to inten-
the signal measured by the original sensor. tional electromagnetic interference. Our experiments suggest that
Although this approach could be applied to CCD image sensors, this susceptibility stems from the fundamental architecture of CCD
it has various drawbacks. The major disadvantage is that the total image sensors; as the phenomenon remains present across individ-
size of the image sensor would become twice as large. This is in par- ual designs and yet is absent in devices built on CMOS architectures.
ticular an issue for larger sensor arrays composed of multiple CCD The presented attack allows an adversary to manipulate the cap-
image sensors, as they are used in telescopes and satellites, since tured frames down to the granularity of single pixels. While CCD
doubling the size of the sensor array would be impractical. More- image sensors are no longer the dominant architecture, they are
over, such image sensors are highly complex with sophisticated still widely used in a range of professional applications. Therefore,
 Sebastian Köhler, Richard Baker, and Ivan Martinovic

we conclude that the signal injection attacks we have shown pose [24] Yasser Shoukry, Paul Martin, Yair Yona, Suhas Diggavi, and Mani Srivastava.
a serious threat to applications relying on the input from cameras 2015. Pycra: Physical challenge-response authentication for active sensors under
spoofing attacks. In Proceedings of the 22nd ACM SIGSAC Conference on Computer
equipped with CCD image sensors. and Communications Security. 1004–1015.
[25] Pawan Sinha and Richard Russell. 2011. A perceptually based comparison of
image similarity metrics. Perception 40, 11 (2011), 1269–1281.
10 ACKNOWLEDGEMENTS [26] Jovan Skuljan. 2017. QuadCam–a quadruple polarimetric camera for space
Sebastian Köhler was supported by the EPSRC and the Hans Böckler situational awareness. In Proc. 18th AMOS Conf. 275–285.
[27] SONY. [n. d.]. ICX445AQA Datasheet. https://www.argocorp.com/
Foundation. cam/ImagingSource/common/PDF/sensor/icx445aqa_1.2.en_US.pdf
https://www.argocorp.com/cam/ImagingSource/common/PDF/sensor/
icx445aqa_1.2.en_US.pdf.
REFERENCES [28] The Imaging Source. [n. d.]. DFM 25G445-ML. https://www.
[1] Inc. Allied Automation. 2021. TC1200 Fixed Industrial Scanner. https://www. theimagingsource.com/products/board-cameras/gige-color/dfm25g445ml/
allied-automation.com/partners/datalogic/fixed-industrial-barcode-readers/ https://www.theimagingsource.com/products/board-cameras/gige-
[2] Amazon.com. [n. d.]. Jancane USB 2.0 Audio/Video Converter. https://amazon. color/dfm25g445ml/.
com/dp/B07NPFJJ7K [29] Takeshi Sugawara, Benjamin Cyr, Sara Rampazzi, Daniel Genkin, and Kevin Fu.
https://amazon.com/dp/B07NPFJJ7K. 2020. Light commands: laser-based audio injection attacks on voice-controllable
[3] Amazon.com. [n. d.]. SONY CCTV Camera Color Board CCD. systems. In 29th USENIX Security Symposium (USENIX Security 20). 2631–2648.
https://www.amazon.com/dp/B0044M1VR6. [30] Synology. 2021. Synology Surveillance Station. https://synology.com/en-
[4] BE Bayer. 1976. Colour filter array. United States of America patent 3971065 us/surveillance https://synology.com/en-us/surveillance.
(1976). [31] Bosch Security Systems. 2016. FW 6.30 Tamper Detection. https://resources-
[5] Yulong Cao, Yimeng Zhou, Qi Alfred Chen, Chaowei Xiao, Won Park, Kevin boschsecurity-cdn.azureedge.net/public/documents/TN_VCA_tamper_detect_
Fu, Benjamin Cyr, Sara Rampazzi, and Z. Morley Mao. 2019. Adversarial sensor WhitePaper_enUS_22996235531.pdf
attack on LiDAR-based perception in autonomous driving. Proceedings of the https://resources-boschsecurity-cdn.azureedge.net/public/documents/TN_
ACM Conference on Computer and Communications Security (2019), 2267–2281. VCA_tamper_detect_WhitePaper_enUS_22996235531.pdf.
https://doi.org/10.1145/3319535.3339815 arXiv:1907.06826 [32] Xingcun Colin Tong. 2016. Advanced materials and design for electromagnetic
[6] Daniel Durini. 2019. High performance silicon imaging: Fundamentals and appli- interference shielding. CRC press.
cations of CMOS and CCD sensors. https://doi.org/10.1016/C2017-0-01564-1 [33] Timothy Trippel, Ofir Weisse, Wenyuan Xu, Peter Honeyman, and Kevin Fu.
[7] Dan M Duriscoe, Christian B Luginbuhl, and Chadwick A Moore. 2007. Mea- 2017. WALNUT: Waging doubt on the integrity of MEMS accelerometers with
suring night-sky brightness with a wide-field CCD camera. Publications of the acoustic injection attacks. In 2017 IEEE European Symposium on Security and
Astronomical Society of the Pacific 119, 852 (2007), 192. Privacy (EuroS&P). IEEE, 3–18.
[8] Ilias Giechaskiel and Kasper Rasmussen. 2020. Taxonomy and Challenges of Out- [34] Yazhou Tu, Zhiqiang Lin, Insup Lee, and Xiali Hei. 2018. Injected and delivered:
of-Band Signal Injection Attacks and Defenses. IEEE Communications Surveys Fabricating implicit control over actuation systems by spoofing inertial sensors.
Tutorials 22, 1 (2020), 645–670. https://doi.org/10.1109/COMST.2019.2952858 In 27th USENIX Security Symposium (USENIX Security 18). 1545–1562.
[9] Google. 2021. Google Cloud Vision API. [35] Yazhou Tu, Vijay Srinivas Tida, Zhongqi Pan, and Xiali Hei. 2021. Transduction
https://cloud.google.com/vision/docs/drag-and-drop. Shield: A Low-Complexity Method to Detect and Correct the Effects of EMI
[10] Eric Hagt and Matthew Durnin. 2009. China’s antiship ballistic missile: Develop- Injection Attacks on Sensors. In Proceedings of the 2021 ACM Asia Conference on
ments and missing links. Naval War College Review 62, 4 (2009), 87–115. Computer and Communications Security. 901–915.
[11] Steve B Howell. 2006. Handbook of CCD astronomy. Vol. 5. Cambridge University [36] International Communication Union. 2015. Recommendation ITU-R BT.709-6.
Press. https://www.itu.int/dms_pubrec/itu-r/rec/bt/R-REC-BT.709-6-201506-I!!PDF-
[12] Teledyne Imaging. 2020. The Future is bright for CCD Sensors. E.pdf.
https://www.teledyneimaging.com/media/1299/2020-01-22_e2v_the-future-is- [37] Robert Wacholc. 2019. Investigation into Noise and Stability Effects on CCD and
bright-for-ccd-sensors_web.pdf. Readout Electronics with Reference to the PLATO Mission. Ph. D. Dissertation. UCL
[13] SICK Inc. 2014. Automatic Identification Solutions for Logistics. https://www. (University College London).
sick.com/media/pdf/8/58/058/IM0059058.PDF [38] Zhou Wang and Alan C Bovik. 2002. A universal image quality index. IEEE signal
[14] Kenji Irie, Alan E Mckinnon, Keith Unsworth, and Ian M Woodhead. 2008. A processing letters 9, 3 (2002), 81–84.
model for measurement of noise in CCD digital-video cameras. Measurement [39] Zhou Wang, Alan C Bovik, Hamid R Sheikh, and Eero P Simoncelli. 2004. Image
Science and Technology 19, 4 (2008), 045207. quality assessment: from error visibility to structural similarity. IEEE transactions
[15] W Gray Jay Jerome. 2017. Practical guide to choosing a microscope camera. on image processing 13, 4 (2004), 600–612.
Microscopy Today 25, 5 (2017), 24–29. [40] Zhou Wang, Eero P Simoncelli, and Alan C Bovik. 2003. Multiscale structural sim-
[16] Denis Foo Kune, John Backes, Shane S Clark, Daniel Kramer, Matthew Reynolds, ilarity for image quality assessment. In The Thrity-Seventh Asilomar Conference
Kevin Fu, Yongdae Kim, and Wenyuan Xu. 2013. Ghost talk: Mitigating EMI signal on Signals, Systems & Computers, 2003, Vol. 2. Ieee, 1398–1402.
injection attacks against analog sensors. In 2013 IEEE Symposium on Security and [41] Daiyun Weng and Li Yang. 2012. Design and implementation of barcode manage-
Privacy. IEEE, 145–159. ment information system. In Information Engineering and Applications. Springer,
[17] Sebastian Köhler, Giulio Lovisotto, Simon Birnbach, Richard Baker, and Ivan 1200–1207.
Martinovic. 2021. They See Me Rollin’: Inherent Vulnerability of the Rolling [42] Ralf Widenhorn, Morley M Blouke, Alexander Weber, Armin Rest, and Erik
Shutter in CMOS Image Sensors. Bodegom. 2002. Temperature dependence of dark current in a CCD. In Sensors
[18] Yanmao Man, Ming Li, and Ryan Gerdes. 2020. GhostImage: Remote Percep- and Camera Systems for Scientific, Industrial, and Digital Photography Applications
tion Attacks against Camera-based Image Classification Systems. In 23rd In- III, Vol. 4669. International Society for Optics and Photonics, 193–201.
ternational Symposium on Research in Attacks, Intrusions and Defenses (RAID [43] Wenyuan Xu, Chen Yan, Weibin Jia, Xiaoyu Ji, and Jianhao Liu. 2018. Analyzing
2020). USENIX Association, San Sebastian, 317–332. https://www.usenix.org/ and enhancing the security of ultrasonic sensors for autonomous vehicles. IEEE
conference/raid2020/presentation/man Internet of Things Journal 5, 6 (2018), 5015–5029.
[19] Junichi Nakamura. 2006. Image sensors and signal processing for digital still [44] Chen Yan, Hocheol Shin, Connor Bolton, Wenyuan Xu, Yongdae Kim, and Kevin
cameras. 1–336 pages. https://doi.org/10.1201/9781420026856 Fu. 2020. Sok: A minimalist approach to formalizing analog sensor security. In
[20] Jonathan Petit, Bas Stottelaar, Michael Feiri, and Frank Kargl. 2015. Remote 2020 IEEE Symposium on Security and Privacy (SP). IEEE, 233–248.
attacks on automated vehicles sensors: Experiments on camera and lidar. Black [45] Chen Yan, Wenyuan Xu, and Jianhao Liu. 2016. Can you trust autonomous
Hat Europe 11 (2015), 2015. vehicles: Contactless attacks against sensors of self-driving vehicle. DEF CON
[21] Kasper Bonne Rasmussen, Claude Castelluccia, Thomas S Heydt-Benjamin, and 24, 8 (2016), 109.
Srdjan Capkun. 2009. Proximity-based access control for implantable medical de- [46] Chen Yan, Guoming Zhang, Xiaoyu Ji, Tianchen Zhang, Taimin Zhang, and
vices. In Proceedings of the 16th ACM conference on Computer and communications Wenyuan Xu. 2019. The feasibility of injecting inaudible voice commands to
security. 410–419. voice assistants. IEEE Transactions on Dependable and Secure Computing (2019).
[22] Ettus Research. 2021. UBX 40 USRP Daughterboard. https://www.ettus.com/all- [47] Sophia Yan. 2019. How innovative Hong Kong protesters are using lasers, traffic
products/ubx40/. cones and parkour in battle with police. https://www.telegraph.co.uk/news/2019/
[23] Athena Sayles, Ashish Hooda, Mohit Gupta, Rahul Chatterjee, and Earlence Fer- 08/02/innovative-hong-kong-protesters-using-lasers-traffic-cones-parkour/
nandes. 2021. Invisible Perturbations: Physical Adversarial Examples Exploiting [48] Youqian Zhang and Kasper Rasmussen. 2020. Detection of electromagnetic
the Rolling Shutter Effect. In Proceedings of the IEEE/CVF Conference on Computer interference attacks on sensor systems. In 2020 IEEE Symposium on Security and
Vision and Pattern Recognition. 14666–14675. Privacy (SP). IEEE, 203–216.
Signal Injection Attacks against CCD Image Sensors

structural properties of an image. While Gaussian White Noise is

random and does not have structured information, the induced
noise tends to be more structured. Surprisingly, using the L2-Norm
to determine the most effective carrier frequency 𝑓𝑐 for the DFM
25G445-ML leads to a different result compared to SSIM and MS-
SSIM. In contrast, for the analog CCTV board camera, 𝑓𝑐 stays
the same. This is explained by the circumstance that the carrier
frequency also influences the structure of the injected noise. In
Figure 13, this difference in noise structure is depicted. While an
attack signal emitted at 𝑓𝑐 = 276 MHz caused the noise to appear
as fine-grained thin bars (Figure 13a), the same signal appeared as
thick bars at 𝑓𝑐 = 290 MHz (Figure 13b).
(a) 𝑓𝑐 = 276 MHz

UQI. The Universal Image Quality Index (UQI) is another metric

to measure the quality of an image [38]. The results of the frequency
sweep in form of the UQI are presented in Figure 16. Similar to
the L2-Norm, the most effective carrier frequency for the DFM
25G445-ML is different from the one we observed for SSIM and
MS-SSIM. However, again 𝑓𝑐 stays the same for the analog CCTV
board camera.

B POSTPROCESSED FIGURES
(b) 𝑓𝑐 = 290 MHz In the following, we present Figures 5 and 10 after being postpro-
cessed manually with the image editing software GIMP to improve
Figure 13: The same data modulated onto carrier waves with the visibility of the injected distortions for the printed version of
different frequency 𝑓𝑐 , causes different structured noise. this paper. More specifically, we increased the brightness, saturation
and contrast of the image.

Appendices
A ADDITIONAL RESULTS OF THE
FREQUENCY SWEEP TO FIND 𝑓𝑐
In this section, we present additional image quality metrics, calcu-
lated between legitimate and malicious frames collected during the
frequency sweep described in Section 6.2.

MS-SSIM. In addition to the single-scale SSIM image quality

metric used throughout the paper, a multi-scale approach, the so-
called Multiscale Structural Similarity Index Measure (MS-SSIM),
exists [40]. Depending on the parameters of the images that are
compared, for instance, the resolution, MS-SSIM performs similar or
better than SSIM. In our case MS-SSIM performed almost identical
to single-scale SSIM. As a result, both metrics determined the same
carrier frequency, i.e., 𝑓𝑐 = 190 MHz, to be the most effective one. (a) Frame 𝑛 − 1 (b) Frame 𝑛
L2-Norm. The L2-Norm is a commonly used metric in the area of
computer vision to highlight discrepancies in semantic information Figure 17: This is a postprocessed version of Figure 5. Two
between images [25]. In Figure 15, the results of the frequency consecutive example frames captured by the DFM 25G445-
sweep for the L2-Norm are presented. It is immediately recognizable ML during the emission of random noise. Due to the wrong
that, in contrast to other image metrics, the most effective carrier sample rate, the injected noise is drifting, causing the stim-
frequency is not represented by the smallest value, but rather by ulus of different photodiodes. As a results, the color of the
the largest. This is due to the fact that the L2-Norm evaluates the injected noise changes between consecutive frames.
 Sebastian Köhler, Richard Baker, and Ivan Martinovic

0.8 0.8
MS-SSIM

MS-SSIM
0.6 0.6

0.4 0.4 341MHz

190MHz

0.2 0.2
50 1000 2000 3000 4000 5000 50 1000 2000 3000 4000 5000
Frequency fc (MHz) Frequency fc (MHz)

(a) DFM 25G445-ML (b) Analog CCD

Figure 14: Results of the frequency sweep represented in the form of the Multiscale Structural Similarity Index Measure
(MS-SSIM) between the frames captured during normal operation and while an attack signal at the carrier frequency 𝑓 c was
emitted.

0.7 0.9
283MHz
341MHz
L2-Norm

L2-Norm
0.6 0.6

0.5 0.3
50 1000 2000 3000 4000 5000 50 1000 2000 3000 4000 5000
Frequency fc (MHz) Frequency fc (MHz)

(a) DFM 25G445-ML (b) Analog CCD

Figure 15: Results of the frequency sweep represented in the form of the L2-Norm between the frames captured during normal
operation and while an attack signal at the carrier frequency 𝑓 c was emitted.

0.25
0.8

0.6
UQI

UQI

0.15
0.4 276MHz 341MHz

0.2 0.05
50 1000 2000 3000 4000 5000 50 1000 2000 3000 4000 5000
Frequency fc (MHz) Frequency fc (MHz)

(a) DFM 25G445-ML (b) Analog CCD

Figure 16: Results of the frequency sweep represented in the form of the Universal Image Quanlity Index (UQI) between the
frames captured during normal operation and while an attack signal at the carrier frequency 𝑓 c was emitted.

Figure 19: Screenshot of the results from the Google Cloud

Figure 18: This is a postprocessed version of Figure 10. Exam-
Vision API. The injected text was correctly recognized.
ple of a signal injection attack, illustrating the fine-grained
control an adversary can gain over the captured frame.