Abstract

Despite the transformative impact of deep learning (DL) on wirelesscommunication systems through data-driven end-to-end (E2E) learning, thesecurity vulnerabilities of these systems have been largely overlooked. Unlikethe extensively studied image domain, limited research has explored the threatof backdoor attacks on the reconstruction of symbols in semantic communication(SemCom) systems. Previous work has investigated such backdoor attacks at theinput level, but these approaches are infeasible in applications with strictinput control. In this paper, we propose a novel attack paradigm, termedChannel-Triggered Backdoor Attack (CT-BA), where the backdoor trigger is aspecific wireless channel. This attack leverages fundamental physical layercharacteristics, making it more covert and potentially more threateningcompared to previous input-level attacks. Specifically, we utilize channel gainwith different fading distributions or channel noise with different powerspectral densities as potential triggers. This approach establishesunprecedented attack flexibility as the adversary can select backdoor triggersfrom both fading characteristics and noise variations in diverse channelenvironments. Moreover, during the testing phase, CT-BA enables automatictrigger activation through natural channel variations without requiring activeadversary participation. We evaluate the robustness of CT-BA on a ViT-basedJoint Source-Channel Coding (JSCC) model across three datasets: MNIST,CIFAR-10, and ImageNet. Furthermore, we apply CT-BA to three typical E2E SemComsystems: BDJSCC, ADJSCC, and JSCCOFDM. Experimental results demonstrate thatour attack achieves near-perfect attack success rate (ASR) while maintainingeffective stealth. Finally, we discuss potential defense mechanisms againstsuch attacks.