Sensor out-of-band (OOB) vulnerabilities have long lacked a systematic analytical framework, hindered by the infinite attack signal space and insufficient abstraction of underlying physical mechanisms. To address this, we propose the first physics-based unified abstraction model for sensor OOB vulnerabilities, establishing a three-layer classification and analysis framework—spanning components, individual sensors, and integrated systems—that explicitly characterizes how perception bias, control-loop feedback, and multi-source sensor fusion either amplify or mitigate security threats. Adopting a bottom-up methodology, we integrate first-principles physical modeling, attack attribution, practicality assessment, and system-level behavioral analysis to achieve, for the first time, cross-layer, interpretable, and systematic characterization of OOB vulnerabilities. Our work provides both theoretical foundations and practical guidelines for security modeling, vulnerability assessment, and defense design in sensors and cyber-physical systems (CPS).

Sensors are fundamental to cyber-physical systems (CPS), enabling perception and control by transducing physical stimuli into digital measurements. However, despite growing research on physical attacks on sensors, our understanding of sensor hardware vulnerabilities remains fragmented due to the ad-hoc nature of this field. Moreover, the infinite attack signal space further complicates threat abstraction and defense. To address this gap, we propose a systematization framework, termed sensor out-of-band (OOB) vulnerabilities, that for the first time provides a comprehensive abstraction for sensor attack surfaces based on underlying physical principles. We adopt a bottom-up systematization methodology that analyzes OOB vulnerabilities across three levels. At the component level, we identify the physical principles and limitations that contribute to OOB vulnerabilities. At the sensor level, we categorize known attacks and evaluate their practicality. At the system level, we analyze how CPS features such as sensor fusion, closed-loop control, and intelligent perception impact the exposure and mitigation of OOB threats. Our findings offer a foundational understanding of sensor hardware security and provide guidance and future directions for sensor designers, security researchers, and system developers aiming to build more secure sensors and CPS.