Metasurface-enabled smart wireless attacks at the physical layer

In current wireless communication systems, sophisticated attack strategies at the physical layer—the electromagnetic wave signals carrying the information—leave traces in the physical environment, which mean such attacks are typically detectable. This may not be the case for future—sixth generation and beyond—wireless networks, whose current vision relies on the concept of smart radio environments, which use metasurfaces to manipulate wave signals in unconventional ways. Here we report metasurface-enabled smart wireless attacks at the physical layer. We illustrate both passive and active operational modes. In the passive mode, an attacker is capable of eavesdropping on the wireless information transfer of a target by controlling the programmable metasurface, without actively radiating any signal. In the active mode, an attacker can eavesdrop as well as falsify the wireless communications by sending deceptive information to the target. In both operational modes, the detectability of the attacker can be minimized. As a proof of concept, we create an attacker prototype working in the Wi-Fi band at around 2.4 GHz, and demonstrate its ability to hack wireless data streams. Our results highlight potential security threats for next-generation wireless networks, and emphasize the need to develop suitable mitigation strategies and specific security protocols at an early stage. Programmable metasurfaces can be used for wireless attacks at the physical layer, highlighting potential security threats for next-generation wireless networks.

In current wireless communication systems, sophisticated attack strategies at the physical layer-the electromagnetic wave signals carrying the information-leave traces in the physical environment, which mean such attacks are typically detectable. This may not be the case for future-sixth generation and beyond-wireless networks, whose current vision relies on the concept of smart radio environments, which use metasurfaces to manipulate wave signals in unconventional ways. Here we report metasurface-enabled smart wireless attacks at the physical layer. We illustrate both passive and active operational modes. In the passive mode, an attacker is capable of eavesdropping on the wireless information transfer of a target by controlling the programmable metasurface, without actively radiating any signal. In the active mode, an attacker can eavesdrop as well as falsify the wireless communications by sending deceptive information to the target. In both operational modes, the detectability of the attacker can be minimized. As a proof of concept, we create an attacker prototype working in the Wi-Fi band at around 2.4 GHz, and demonstrate its ability to hack wireless data streams. Our results highlight potential security threats for next-generation wireless networks, and emphasize the need to develop suitable mitigation strategies and specific security protocols at an early stage.
Cryptographic encryption methods are increasingly complex and reliable. Direct attacks at the physical layer are, therefore, becoming a more viable alternative, particularly in wireless communications where signals propagate in an unbound physical space. Conventional physical layer attackers use diverse penetration methods such as vulnerability analysis, information gathering and forensic sniffing; almost all these types of attack leave traces in the physical space, which makes them traceable. However, the development of wireless communications is focused on the advanced control and manipulation of electromagnetic waves at the physical layer, and this could inspire novel types of attack that are much more sophisticated and harder to detect. Information systems typically rely on massive antenna arrays in combination with beamforming techniques to simultaneously improve the range of wireless links and to reduce unwanted interferences 1 . However, this bulky, costly and power-hungry hardware will struggle to meet the requirements of an ever-growing number of connection nodes 2 . Within this framework, programmable coding metasurfaces, which are thin and inexpensive, are an attractive alternative approach for advanced electromagnetic wave manipulation [3][4][5] .
Metasurface platforms were initially designed to serve on the transmitter side in combination with a carefully deployed antenna source, as an alternative to phased-array antennas for beamforming in (quasi) free space 3,4,6,7 . In terms of geometrical (number and location) and physical (signal response) port properties 8 , they can be viewed as a multiport device linking-in an adaptive manner-multiple input channels (sources) to multiple output channels (receivers). The platforms Article https://doi.org/10.1038/s41928-023-01011-0 an unintended user 18 , the programmable metasurfaces can actively transmit information via backscattering wireless communication schemes that leverage the commodity Wi-Fi signals 19,20 , expanding the range of potential wireless attacks. Besides conventional eavesdropping, the scheme enables smarter types of attack that can alter the information exchanged with multiple users at will and in real time (Fig. 1). Our results, which could be extended to other wireless communications scenarios, highlight the inherent vulnerabilities in smart radio environments that are of interest in future wireless networks.

System configuration
The schematic of our proposed wireless attackers (passive and active) is shown in Fig. 2. For illustration purposes, the system is designed to operate at a frequency of 2.4 GHz and, to facilitate our implementation, a universal software radio peripheral (Ettus Research USRP X310) is used to generate or/and acquire the radio signals. In the passive mode (Fig. 2a), a legitimate transmitter (Alice) intends to transfer the information to a legitimate receiver (Bob) via wireless communications, whereas an attacker (Eve) attempts to eavesdrop the communication channel at the physical layer without actively radiating any radio signals, by deploying and controlling a programmable metasurface in the surrounding physical environment. In particular, the attacker snoops around the channel and captures Alice's data packets, by relying on the metasurface, which serves as a controllable relay by establishing an eavesdropping link with high capacity and suitably redirecting the wireless signals. Alternatively, the attacker may aim at disrupting the communication between Alice and Bob. All these types of attack can be implemented via suitable control of the electromagnetic response of each tunable meta-atom composing the metasurface (Methods and Supplementary Note 1 provide more details and explanation of the underlying principle).
In the active mode (Fig. 2b), besides eavesdropping the information, Eve also intends to furtively falsify the information directed to Bob by transmitting some deceptive data. In this scenario, the programmable (which can also be termed reconfigurable intelligent surfaces 9,10 ) can be actively integrated within the propagation environment, endowing them with programmability that can be used as an alternative relaying mechanism in (quasi) free space, to optimize the available channels in scattering-rich environments 11 . The concept of a smart radio environment 12,13 is at the heart of visions for future (sixth generation and beyond) wireless communication systems 14 , and relies on metasurfaces as a key enabling technology 15 . Different metasurface-enabled encryption schemes have also been proposed in optics 16,17 . The proposed pervasive deployment of (passive and active) metasurface elements disguised in the propagation environment (for example, in the form of wallpapers, window glasses, building facades and roadside billboards) also introduces new types of vulnerability to physical layer attacks, since they could also be maliciously exploited to hack a system.
These potential vulnerabilities and threats need to be carefully explored and understood to develop future network architectures that are inherently resilient. A basic principle of physical layer security is to increase the performance difference between a legitimate receiver and an eavesdropper link by means of suitable beamforming for transmitting antennas and/or sending noise or interference signals to the eavesdroppers. For attackers, this security measure can be overcome by deploying a large reflective antenna array in the channel to manipulate the wireless links. However, such bulky and power-hungry equipment is not suitable for low-detectability attacks. In contrast, metasurfaces can be easily hidden in the environment, and still provide powerful beam and signal manipulation capabilities for the physical-layer wireless attackers. It was, for instance, recently shown that a quickly and inexpensively fabricated (passive) metasurface could be effectively used to eavesdrop a millimetre-wave communication channel in an essentially undetectable fashion 18 . In this Article, we report the concept of smart wireless attacks at the physical layer based on programmable metasurfaces. The scheme can operate on Wi-Fi signals and could be rendered essentially undetectable. Unlike conventional (passive) metasurfaces, which enable eavesdropping by redirecting part of the signal towards  Article https://doi.org/10.1038/s41928-023-01011-0 metasurface plays an additional pivotal role, by serving as a backscattering wireless communication system 19,20 , under illumination by a single-tone carrier radio signal generated by the USRP. More specifically, as for the passive mode, Eve controls the metasurface to establish a directional wireless link with Alice (eavesdropping link), and then uses the USRP to collect the signal intended to Bob. Furthermore, Eve also controls the same metasurface to establish a directional wireless link with Bob (falsifying link) to transmit the deceptive information (Methods).

Programmable metasurface
Our attacker relies on a one-bit coding programmable metasurface, designed to work at around 2.4 GHz, corresponding to the frequency range of commodity 2.4 GHz Wi-Fi signals. Although this represents the simplest configuration, higher-bit programmable metasurfaces would provide additional degrees of freedom for manipulating the spatiotemporal electromagnetic wavefronts [21][22][23][24][25][26] , thereby enabling further improvements in the attack performance. The whole metasurface has a size of 1.7 × 1.3 m 2 , and comprises 32 × 24 independently controllable meta-atoms (each of size 54 × 54 mm 2 ), arranged in 3 × 4 identical panels (each comprising 8 × 8 meta-atoms; Fig. 2c) due to fabrication-related size restrictions. As shown in Fig. 2d, each meta-atom is integrated with a positive-intrinsic-negative (PIN) diode, and can exhibit two possible physical states (labelled with the bits '0' and '1') corresponding to two opposite reflection phases (that is, 0 and 180°, respectively) under plane-wave illumination, when the PIN diode is switched from ON to OFF (and vice versa) within the frequency range of 2.41-2.48 GHz. Such phase change can be attained by switching the bias direct-current (d.c.) voltage applied to the PIN diode from 3.3 to 0 V. As shown in Fig. 2e,f, this condition can be attained at the desired operation frequency, with good agreement between numerical simulations and measurements. To enable real-time and flexible control of all the 768 PIN diodes, a micro control unit (MCU) with the size of 95 × 145 mm 2 is designed and assembled on the upper rear of the metasurface. The MCU relies on a field-programmable gate array circuit, and is responsible for dispatching all the commands sent from a master computer subject to one common clock signal; in our work, the adopted clock is 100 MHz, and the switching time of the PIN diode is about 2 μs for each cycle (Methods and Supplementary Note 2). In this way, the electromagnetic response of the metasurface can be dynamically and flexibly manipulated by suitably controlling its binary coding pattern.
As previously mentioned, the programmable metasurface is designed at Eve's side to play two critical roles: eavesdropping the   Article https://doi.org/10.1038/s41928-023-01011-0 legitimate information directed from Alice to Bob by altering the signal propagation path, and falsifying the information received at Bob's side by sending deceptive data via a point-to-point backscattering wireless communication link 19,20 . For these twofold aims, the design of the binary-coding control sequence of the programmable metasurface can be addressed by maximizing the following objective function:  which follows from another work 27 with some important modifications, as detailed below (Methods and Supplementary Note 1). Specifically, the term R e quantifies the eavesdropping communication rate, that is, the relative eavesdropping performance of Eve with respect to Bob in terms of the communication capacity, whereas the term R f characterizes the falsifying performance of Eve. Here a positive coefficient α is introduced in R e to balance the potential constraint imposed on the legitimate communication link. In particular, setting α = 0 implies that the legitimate Alice-Bob link is largely unaffected, and thus, the eavesdropping link is essentially undetectable at Bob's side. Considering that the wireless communication channels are usually reciprocal, it turns out that the optimal solutions for both R e and R f cannot be simultaneously achieved, and therefore, a positive trade-off factor β is introduced in equation (1). We highlight that the optimization in equation (1) is very challenging from the computational viewpoint, since it entails an NP-hard combinational problem, and Green's function of the underlying physical environment is not analytically known. In our approach (Supplementary Note 3), we employ a line-search algorithm initialized with the modified Gerchberg-Saxton (G-S) method.

Experimental results on passive attacks
We first assess the performance of the developed wireless metasurface attacker in the passive mode. As shown in the schematic (Fig. 3a) for our experimental setting, Eve (in room B) attempts to eavesdrop the information intended to Bob from Alice (in room A) by controlling the programmable metasurface. In our implementation, Alice is a commodity Wi-Fi router (Mercury MW150R) working with binary phase-shift keying (BPSK) modulation and the 802.11b protocol at the seventh subchannel of 2.442 GHz. When Eve tries to snoop the Wi-Fi information intended to Bob from Alice, the programmable metasurface acts as a controllable passive relay that suitably redirects the Wi-Fi signal over the established eavesdropping link. To this end, the control coding pattern of the programmable metasurface needs to be determined, which can be achieved by maximizing R e in equation (1) along with β = 0 and α = 1. The procedure is initialized by exploiting the modified G-S algorithm, and then a line search is implemented. Figure 3b shows the power levels P E received at Eve's side as a function of the iteration order in the optimization process, for different locations of  Figure 3c shows some representative coding patterns of the metasurface for the full-OFF state (that is, all meta-atoms in the OFF state, equivalent to a conventional metallic reflector), the G-S initialization and the result of the line-search optimization, together with the corresponding BPSK constellation diagrams of the decoded wireless signals eavesdropped at Eve's side, from which we can visually estimate the quality of transmission. In particular, we observe progressive improvement (in terms of reduced spread in the constellation points) going from the full-OFF state to the optimized one, which can be quantified in an about 16 dB power enhancement of information eavesdrop on average (Fig. 3b), without extra energy consumption. Moreover, Fig. 3d (left and centre) shows the communication data rates detected at Bob's side pertaining to the full-OFF and optimized coding patterns, respectively. We observe that as a consequence of the eavesdropping link, the target communication link between Alice and Bob is moderately deteriorated with a loss of 5 Mbps on average, as highlighted by the blue-shaded area (Fig. 3d). This can be expected since part of Alice's signal energy has been redirected towards Eve by the programmable metasurface. As previously mentioned, the effect on Bob's communication rate from the eavesdropping link can be minimized by solving the optimization problem in equation (1) with α = 0 (Supplementary Note 4). In addition, our wireless attacker is capable of breaking down the communications between Alice and Bob by rapidly switching the coding patterns of the metasurface, with extra energy consumption of a few watts. To demonstrate this possibility, Fig. 3d illustrates the results (in terms of data rate) of a set of experiments where the control coding pattern of the metasurface is switched between the full-OFF and optimized result with a switching period of 2 μs. Evidently, the communication rate from Alice to Bob can be decreased by ~23 Mbps when the eavesdropping link is dynamic. This can be expected since the dynamic eavesdropping link can not only decrease Bob's received power (and hence the signal-to-noise ratio) but it also breaks the stationary property of the wireless channel.

Experimental results on active attacks
We next assess the performance of the wireless attacker in the active mode. For illustration purposes, and to avoid the complicated key decryption at the digital level, the Wi-Fi signal at Alice's side is generated by means of the USRP. With reference to the experimental setting shown as a schematic in Fig. 4a (Table 1 lists the parameters), Eve (in room B) tries to eavesdrop and falsify the information intended to Bob and Carol from Alice (in room A), and remain essentially untraceable for a possible detector (Dave). To this aim, by controlling the metasurface, Eve establishes two independent falsifying links with Bob and Carol, and actively transmits two independent deceptive data streams to them. Thus, there are now two kinds of wireless link: the eavesdropping one and the falsifying one. To render Eve's communications with Bob and Carol furtive, we optimize the control binary coding pattern of the metasurface with the twofold objectives of maximizing the falsifying communication rate (R f ) and transferring the counterfeit data to Bob and Carol by exploiting a modulated-metasurface backscattering wireless communication scheme 19,20 . Basically, the deceptive data are directly encoded into the programmable metasurface, which is illuminated by a 2.442 GHz single-tone carrier, and radiates directive beams so as to minimize Eve's detectability. Accordingly, the metasurface is controlled in such a way that the three information-carrying radiation beams pointing towards Bob, Carol and Eve can be independently generated and manipulated. Here, for illustration purposes, we consider a physical BPSK modulation scheme for falsifying the wireless links (from Eve to Bob and Carol). On the other hand, the eavesdropping link (from Alice to Eve) works in a different fashion, since it is used for energy manipulation and does not rely on metasurface modulation 7 (Methods provides more details on both schemes). As a consequence, we need to design four control patterns of the metasurface for the resulting three-channel backscattering wireless communications, where channels 1, 2 and 3 correspond to Eve, Bob and Carol, respectively. Figure 4b shows the eavesdropping and falsifying power levels at Eve's, Bob's and Carol's (P E , P B and P C , respectively) as a function of the iteration order of the optimization process, whereas Fig. 4c shows the four optimized binary coding patterns. Assuming that a  Eavesdropping link Falsifying link (Bob) Radio signal (real part) @ Bob Radio signal (real part) @ Dave Radio signal (real part) @ Eve Radio signal (real part) @ Carol Constellation @ Bob Constellation @ Dave Constellation @ Eve Constellation @ Carol red-green-blue image is transferred from Alice to Bob, Eve can not only eavesdrop this image by manipulating the programmable metasurface (Fig. 4d, leftmost panel) but can also arbitrarily falsify the images at Bob's and Carol's sides, as shown, for instance, in the second and rightmost panels of Fig. 4d, respectively. In addition, to highlight the metasurface-enabled capability of energy refocusing within an intended local spot, we also monitor the performance of a detector (Dave) placed in the vicinity of Bob (Fig. 4b). Figure 4d (third panel) shows the image received at Dave's side, whose poorer quality demonstrates the low visibility of the attack, in spite of some leaking information around Bob. Supplementary Video 1 shows additional results. In addition, the top row in Fig. 4e shows typical (17-ms-long) Wi-Fi signals received at Bob's, Eve's, Dave's and Carol's sides, with some magnified details shown in the bottom row. The corresponding decoded constellation diagrams are illustrated in Fig. 4f, from which the poorer quality of the signals at Dave's side is also apparent. On the basis of these results, we can conclude that the metasurface-based wireless attacker is capable of simultaneously eavesdropping, disrupting and/ or falsifying the data streams in complicated indoor environments, as well as maintaining low detectability.

Conclusions
We have reported metasurface-enabled smart wireless attacks at the physical layer. We show that the use of programmable metasurfaces can enable sophisticated types of attack that range from conventional eavesdropping to the disruption of communication, and even information falsification. In both passive and active modes, the footprints of the attack in the physical space are very weak, and hence, its detectability can be minimized. Our results are demonstrated with 2.4 GHz Wi-Fi signals, but their implications are broader, and the approach could be applied to generic wireless communication systems. Considering the crucial role-and the potential pervasiveness-of metasurfaces in envisioned future (sixth generation and beyond) wireless networks, it is essential that potential vulnerabilities arising from malicious hacking are fully understood, and that suitable countermeasures are developed-at an early stage-for the underlying smart radio environment technologies. For instance, beamforming strategies could be effective in mitigating the attack performance. Alternative mitigation strategies, such as cooperative jamming with artificial noise, index modulation and adaptive modulation, could also be exploited.

Design of the programmable coding metasurface
The designed programmable metasurface consists of 32 × 24 meta-atoms operating at ~2.4 GHz (Supplementary Fig. 1c,d) with the schematic and details of the electronically controllable meta-atoms (of size 54 × 54 mm 2 ) illustrated in Supplementary Fig. 1a,b, respectively. In each meta-atom, a PIN diode (SMP1345-079LF) is integrated to control the electromagnetic reflection phase, and the corresponding frequency responses are shown in Fig. 2e,f (magnitude and phase, respectively). The meta-atom is composed of two substrate layers: the top layer is made of F4B (with relative permittivity of 2.55 and loss tangent of 0.0019), whereas the bottom layer is made of FR4 (with relative permittivity of 4.40 and loss tangent of 0.0300). The top square patch, integrated with the PIN diode, has a size of 0.37 × 0.37 mm 2 . In addition, a 33 nH inductor (Murata LQW04AN10NH00) is used to achieve good separation between the radio-frequency and d.c. signals. For the design and simulation of the meta-atom, the commercial software package CST Microwave Studio 2014 (refs. 28-30) is used. Specifically, the reflection response of the meta-atom is investigated under different operation states (ON/OFF) of the PIN diode; a Floquet port is used to simulate an x-polarized wave incident on the metasurface and to monitor the reflected wave; and periodic boundary conditions are set on the four sides to mimic an infinite array.

Principle underlying the metasurface-enabled wireless attack
We provide a heuristic but insightful explanation of the principle underlying the metasurface-enabled physical-layer wireless attack. For a basic illustration, we limit ourselves to consider the attack of one user, but an extension to more general cases is straightforward. To this end, we model the programmable metasurface as a two-input and two-output wireless device that links the incident symbols (from sources, that is, Alice at r A , and Eve's transmitter, ET, at r E ) to the re-radiated responses (to receivers, that is, Bob at r B , and Eve's receiver, ER, at r R ), and we denote the sequences of legitimate symbols (from Alice) and falsifying symbols (from Eve) x A (t) and x E (t), respectively. It is worth recalling that Eve's deceptive symbols x E are directly encoded into the metasurface at the physical layer, within the context of backscattering wireless communications, as discussed below. Then, we can express the device's output responses at r B and r R as where P A and P E are the powers radiated by Alice and Eve, respectively; the quantities H E→B and H E→R denote the metasurface-mediated responses of the Eve-Bob and ET-ER links, respectively; and h A→B and h A→R denote the responses of the Alice-Bob and Alice-ER links, respectively, in the absence of the programmable metasurface. Moreover, the factors γ A→B and γ A→R represent the metasurface-enabled enhancement and deterioration on the Alice-Bob and Alice-ER wireless links, respectively. It is apparent that in the absence of the metasurface, one has γ A→B = 0 and γ A→R = 0. In addition, ε B ≈ (0, σ 2 B ) and ε R ≈ (0, σ 2 R ) indicate the additive Gaussian noise at Bob's and ER's, respectively, and θ encapsulates all the adjustable parameters. For the sake of efficiency, a directional horn antenna is used at Eve's to illuminate the metasurface, implying that H E→R (t) ≈ 0. Then, the eavesdropping and falsifying performance can be quantified by the corresponding rates R e = log 2 [1 + ] and R f (α) = log 2 [1 + respectively. For the given settings at Alice's and Bob's, the quality of the falsifying and eavesdropping signals can be improved by properly designing the metasurface, and by increasing Eve's transmitted power P E . To clarify the above argument, we consider a quasi-free-space wireless environment as an example to explain the principle underlying the attack, where the wireless channel response can be analytically expressed as h (r, r ′ ) = exp( jk| |r−r ′ | |) 4π|r−r ′ | , where k = 2π/λ denotes the free-space wavenumber (λ is the corresponding wavelength); hereafter, a suppressed time-harmonic exp(-jωτ) dependence is assumed. In more complicated wireless environments, the response h(r, r′) is not usually unavailable in the closed form and needs to be estimated as a prior in the attack system; this is deferred to future work. Supplementary Note 1 provides more detailed discussions. Here we consider a two-part Article https://doi.org/10.1038/s41928-023-01011-0 control scheme for the metasurface, that is, the entire metasurface aperture is divided into two independent parts, meta_A (with N metaA meta-atoms) and meta_B (with N metaB meta-atoms). Even though the resulting attack performance is not optimal and could be improved by exploiting more advanced control schemes, this scenario provides some useful physical insights. Accordingly, the quantities involved in equations (2) and (3) can be expressed as Please refer to equations (4)- (8).