Deep-TEMPEST: Deep Learning Attacks

Updated 9 February 2026

Deep-TEMPEST is a family of methodologies that leverage deep learning to reconstruct HDMI video signals from electromagnetic emissions and to perform multi-turn adversarial attacks on large language models.
Its EM pipeline utilizes SDR-based acquisition and DRUNet neural architectures to solve an inverse problem, dramatically reducing error rates with few-shot fine-tuning on real data.
In LLM contexts, Deep-TEMPEST uses a tree-based exploration strategy to assess and overcome safety measures, highlighting critical gaps in adversarial robustness and prompting targeted countermeasures.

Deep-TEMPEST denotes a family of methodologies and frameworks that leverage deep learning for advanced eavesdropping and adversarial attack strategies in both hardware electromagnetic (EM) side-channels and LLMs. In the context of EM leakage, Deep-TEMPEST systems reconstruct digital video content—especially from HDMI signals—by solving an inverse problem informed by a rigorous physical channel model and employing deep neural architectures for signal-to-image mapping. In the context of LLM safety, Deep-TEMPEST refers to the systematic scaling and evaluation of multi-turn adversarial attacks using a tree-based exploration framework to gauge and surpass safety guardrails in trillion-parameter frontier models. Across both domains, Deep-TEMPEST articulates the relevance of deep learning in extending the reach and practicality of previously theoretical attacks, revealing systemic vulnerabilities and highlighting necessary countermeasures.

1. Mathematical and Physical Foundations of Electromagnetic Side-Channel Eavesdropping

Deep-TEMPEST redefines the EM eavesdropping problem for digital video interfaces (notably HDMI) as an inverse problem: reconstructing the displayed pixel image $X \in \mathbb{R}^{p_y \times p_x}$ from the unintended emissions $s(t)$ received by an SDR-based receiver setup. HDMI signals are encoded with Transition Minimized Differential Signaling (TMDS), converting 8-bit color components $v[n]$ to 10-bit codewords $b[k]$ by a nonlinear bijective mapping $\mathrm{TMDS}_{10}$ , producing a line-ordered serial bitstream. Leaked signals, modelled as

$s(t) = x^+(t) + x^-(t) = 2V_{cc} + \sum_k x_b[k] q(t - kT_b)$

with $q(t)$ capturing differential skew, are characterized by a power spectral density $S_s(f) = |Q(f)|^2 S_{X_b}(f)$ . Attacker-side signal acquisition leverages spectral peaks at harmonics of the pixel clock, tuning the SDR to maximize SNR by targeting frequencies $f_c \approx m/T_p$ ( $T_p = 10T_b$ ). Discrete samples $y[l]$ are obtained after analog filtering and digitization, embedding non-idealities (timing, phase, AWGN).

The inverse mapping $\mathcal{M}: X \to Y \in \mathbb{C}^{p_y \times p_x}$ defines the observable, from which an appropriately parameterized deep network $f_\Theta$ is trained to minimize reconstruction loss:

$L(\Theta) = \mathbb{E}_{(Y, X)}\left[ \ell\big(f_\Theta(Y), X\big) \right]$

where $\ell$ combines pixelwise MSE and total variation.

2. Deep Learning Architectures and Training Methodologies

Deep-TEMPEST attack pipelines rely on convolutional neural networks optimized for the EM-to-image inverse problem. The core architecture is based on DRUNet, a U-Net variant incorporating both contracting and expanding paths with skip connections and residual blocks, taking two-channel (I/Q) inputs and outputting grayscale images. Training utilizes simulated and real EM trace/image pairs, with synthetic samples generated via direct TMDS encoding, cable/antenna convolution, SDR modeling, and controlled addition of non-idealities (timing/phase errors, noise).

Optimization uses Adam (learning rate $1.56 \times 10^{-5}$ , $\beta_1=0.9$ , $\beta_2=0.999$ ), weight initialization via He normal, and early stopping on PSNR plateau. Datasets are split into train/val/test for both synthetic ($1,738/148/303$) and real ($882/120/300$) captures. Training solely on magnitude (AM) signals is inferior; incorporating the complex I/Q samples consistently reduces Character Error Rate (CER) by $\sim$ 8 percentage points. Synthetic-only models achieve CER $\sim$ 30\% (synthetic test), but drop in real-world scenarios. Few-shot fine-tuning with as little as 10\% of the real data recovers near full performance ( $\mathrm{CER} \sim 35\%$ ).

Complementary work on mobile device side-channels employs a LeNet-style CNN for classification of digit patches from EM-imaged “emages”, achieving digit-level accuracy up to 89.8\% and six-digit PIN recovery with 50.5\% exact-match in a single attempt (Liu et al., 2020).

3. TEMPEST Attacks on LLMs: Multi-Turn Adversarial Framework

In the LLM context, Deep-TEMPEST refers to the extension and scaling of the TEMPEST (Tree-based Exploration of Multi-turn Prompts for Eliciting Safety Thresholds) attack, formalizing adversarial jailbreak as a breadth-first search over conversation graphs (Young, 8 Dec 2025). The attack algorithm:

Initializes with diverse prompts (Siege chain-of-attack format) via a large attacker model (e.g., DeepSeek V3.1).
Maintains up to 6 parallel branches per behavior, adapting strategies based on model responses and detected resistance types (e.g., refusal, moral hedging).
Evaluates response harmfulness on a 1–10 scale using independent safety classifiers.
Prunes low-value branches and halts upon achieving a harmful response ( $\geq 10$ ).
Iterates over 1,000 behaviors from JailbreakBench spanning Misinformation, Hate Speech, Violence, Illegal Activities, and Privacy.

Formal Evaluation Metrics

Attack Success Rate (ASR): Fraction of behaviors with at least one harmful response.
Partial Success Rate (PSR): Fraction at the 8–9 harm threshold.
Average Turns to Jailbreak (ATJ): Mean number of conversational turns per successful jailbreak.
Computational Cost Multiplier: Normalized query count vs. most efficient model.

4. Empirical Results and Performance Benchmarks

HDMI Eavesdropping

Table 1: Performance Summary—Text OCR on Raw and Deep-TEMPEST Reconstructions (excerpted) (Fernández et al., 2024)

Dataset	Model	PSNR	SSIM	CER
Real captures	Raw magnitude (gr-tempest)	8.6dB	0.345	92.2%
	Pure model (complex input)	15.2dB	0.787	35.3%
	Base (ideal $q$ )	10.0dB	0.610	49.4%

Few-shot fine-tuning on only 10% of real data recovers nearly optimal CER, demonstrating robust transfer from simulation.

Multi-Turn LLM Attacks

Table 2: Attack Success Rate (ASR) and Avg. Turns (excerpted) (Young, 8 Dec 2025)

Model	Parameters	ASR	AvgTurns
Mistral Large 3	675B (41B active)	100%	1.0
DeepSeek V3.1	671B (37B active)	99%	1.6
Kimi K2	1T (32B active)	97%	1.6
Kimi K2 Thinking	1T (32B active)	42%	17.2
MiniMax M2	230B (10B active)	55%	22.7

No statistically significant correlation between model scale and adversarial robustness was observed (Spearman $\rho = -0.12$ , $p=0.74$ ). Models with active “thinking” (deliberative inference) modes saw dramatic ASR reductions (97% $\rightarrow$ 42%) and a %%%%28 $y[l]$ 29%%%% increase in average attack length.

5. Implementation Details and Open-Source Availability

The Deep-TEMPEST SDR attack stack employs a USRP B200mini or equivalent SDR, LNA (e.g., Mini-Circuits ZJL-6G+), band-pass filtering, and a custom branch of gr-tempest within GNU Radio. Signal pipelines are designed for I/Q complex sample extraction, skipping traditional AM demodulation. PyTorch-based DRUNet inference is integrated directly into the GNU Radio stream. All code, synthetic data generators (HDMI $\rightarrow$ TMDS $\rightarrow$ q(t) $\rightarrow$ SDR), and training routines are available at github.com/emidan19/deep-tempest, together with real and synthetic datasets, facilitating reproducibility and further research (Fernández et al., 2024).

6. Countermeasures and Mitigation Strategies

For HDMI Deep-TEMPEST attacks:

Low-level adversarial noise: Injecting weak ( $\sigma \approx 3$ gray-level) Gaussian noise into displayed images defeats CNN inference without meaningful reduction in human legibility.
Gradient backgrounds: Overlaying text on a horizontal grayscale ramp frustrates TMDS encoding regularity, destroying the spectral peaks necessary for synchronized recovery.
Trade-offs: Noise marginally reduces visible contrast; gradient backgrounds necessitate broader UI changes.

For LLM attacks:

Deliberative inference (“thinking mode”): Substantially increases attack cost and reduces success rates, though does not eliminate vulnerabilities.
Hardware, communication, and graphics-level defenses (as in display-based attacks): Shielding, encryption, and EM-hardened fonts have shown partial success, though practical concerns (cost, latency, UX degradation) limit deployment (Liu et al., 2020).

A layered defense stack combining low-level (physical) and high-level (UI, inference) countermeasures is recommended in both domains, yet ongoing improvements in deep learning for attack adaptation are expected.

7. Research Directions and Broader Implications

Deep-TEMPEST’s results establish that deep learning fundamentally alters the threat landscape for both EM side-channel and LLM attacks. In video eavesdropping, combining synthetic simulations with minimal real-world samples enables transfer to new cable configurations and display types, substantially reducing data collection burden (Fernández et al., 2024). In LLM safety, persistent high attack success rates across architectures and scales underscore the brittleness of current alignment, irrespective of frontier model capacity. The empirical effectiveness of deliberative reasoning as a defense mechanism invites further ablations on the mechanisms of protection (reasoning depth, prompt visibility) and the potential of defense-aware attacks (e.g., H-CoT-style) to circumvent them (Young, 8 Dec 2025).

The open-source release of Deep-TEMPEST tools and datasets sets a benchmark for both attack and defense research in side-channel and model safety. Ongoing and future work must evaluate new defenses across diverse benchmarks, incorporate human-in-the-loop evaluations, and track progress longitudinally to address evolving adversarial capabilities. A plausible implication is that adversarial-robustness research must accompany capability scaling in both hardware and AI domains to secure deployments against increasingly practical deep-learning-enabled attacks.

Markdown Report Issue Upgrade to Chat

References (3)

Screen Gleaning: A Screen Reading TEMPEST Attack on Mobile Devices Exploiting an Electromagnetic Side Channel (2020)

Replicating TEMPEST at Scale: Multi-Turn Adversarial Attacks Against Trillion-Parameter Frontier Models (2025)

Deep-TEMPEST: Using Deep Learning to Eavesdrop on HDMI from its Unintended Electromagnetic Emanations (2024)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Deep-TEMPEST.