Hard-Label Model Extraction and Backdoor Insertion in EEG-Based A3L Systems
摘要
EEG-based models have gained prominence in Ambient, Active & Assisted Living (A3L) systems, particularly for sensitive health applications such as epileptic seizure detection and cognitive state monitoring. Despite the security assurances provided by deploying these models within secure inference modules, we demonstrate a practical and impactful spoofing attack leveraging only hard-label outputs (i.e., the API only returns the predicted class label, such as “seizure” or “no seizure”, without any probability or confidence score). By querying the model with carefully crafted EEG signals, an adversary can reconstruct internal weights, bypass embedded watermarks, and insert subtle yet potentially devastating backdoors that can make the model sabotage itself. We experimentally validate this attack using publicly available EEG datasets, successfully spoofing seizure detection classifiers. Our findings highlight critical vulnerabilities in EEG-based health systems, emphasizing the need for stronger protections in model deployment and Over-The-Air (OTA) updates.