Physical isolation is widely assumed to prevent wireless exfiltration from embedded systems; however, conventional penetration techniques require dedicated RF hardware or line-of-sight conditions, limiting practical applicability. Method: This work introduces a hardware-modification-free wireless infiltration method exploiting parasitic RF coupling between PCB traces and analog-to-digital converters (ADCs) in embedded devices. We systematically model the parasitic RF coupling mechanism and develop a software-only “sensorless radio receiver” framework comprising ADC sampling analysis, signal reconstruction algorithms, and device configuration sensitivity evaluation. Contribution/Results: Evaluated on 14 real-world devices (12 commercial, 2 prototypes), the approach achieves reception across 300–1000 MHz with a minimum detectable power of 1 mW, supporting 100 kbps data rates and non-line-of-sight communication over tens of meters. This work fundamentally challenges the physical isolation security assumption and uncovers a previously unrecognized, stealthy wireless side channel inherent to commodity embedded platforms.

Intelligent electronics are deeply embedded in critical infrastructures and must remain reliable, particularly against deliberate attacks. To minimize risks and impede remote compromise, sensitive systems can be physically isolated from external networks, forming an airgap. Yet, airgaps can still be infiltrated by capable adversaries gaining code execution. Prior research has shown that attackers can then attempt to wirelessly exfiltrate data across the airgap by exploiting unintended radio emissions. In this work, we demonstrate reversal of this link: malicious code execution on embedded devices can enable wireless infiltration of airgapped systems without any hardware modification. In contrast to previous infiltration methods that depend on dedicated sensors (e.g., microphones, LEDs, or temperature sensors) or require strict line-of-sight, we show that unmodified, sensor-less embedded devices can inadvertently act as radio receivers. This phenomenon stems from parasitic RF sensitivity in PCB traces and on-chip analog-to-digital converters (ADCs), allowing external transmissions to be received and decoded entirely in software. Across twelve commercially available embedded devices and two custom prototypes, we observe repeatable reception in the 300-1000 MHz range, with detectable signal power as low as 1 mW. To this end, we propose a systematic methodology to identify device configurations that foster such radio sensitivities and comprehensively evaluate their feasibility for wireless data reception. Exploiting these sensitivities, we demonstrate successful data reception over tens of meters, even in non-line-of-sight conditions and show that the reception sensitivities accommodate data rates of up to 100 kbps. Our findings reveal a previously unexplored command-and-control vector for air-gapped systems while challenging assumptions about their inherent isolation. [shortened]