Security and Privacy for Reconfigurable Intelligent Surface in 6G: A Review of Prospective Applications and Challenges

While sixth-generation (6G) wireless systems are expected to bring about an explosion of accessible user information and novel technologies, along with new threats to terrestrial and non-terrestrial networks, major concerns associated with the development of 6G networks are privacy and security. Reconfigurable intelligent surfaces (RISs), which have recently emerged as promising candidates to support 6G physical platforms, have proved to be capable of boosting security of next-generation wireless systems. However, due to their easy reconfigurability and low cost, RISs are vulnerable to several security threats, and this vulnerability has not yet been thoroughly addressed in previous research. To fill this gap in the literature, in this review, we aim to thoroughly analyze the security challenges affecting RIS-empowered 6G wireless networks. To this end, we review the attributes of RISs that distinguish them from other relevant technologies, such as multiple-input-multiple-output (MIMO), conventional relaying, backscatter communication (BackCom), as well as outline security and privacy attacks in RIS-assisted 6G applications. Our specific focus is on security and privacy threats associated with the use of RISs with different vital 6G technologies, including millimeter wave (mmWave), terahertz (THz), device-to-device (D2D) communication, Internet of Things (IoT) networks, multi-access edge computing (MEC), integrated sensing and communication (ISAC), simultaneous wireless information and power transfer (SWIPT), and non-terrestrial network. The review concludes with an outline of open research challenges and promising future directions to further increase secrecy of RIS-assisted 6G applications. The results of this review contribute to previous research on 6G network security, in general, and RIS-based 6G network security, in particular.


I. INTRODUCTION
R ECONFIGURABLE intelligent surfaces (RISs) have transformed traditional wireless networks into smart radio environments providing power-efficient, cost-effective services with high data rates for beyond fifth-generation (B5G) and sixth-generation (6G) networks [1], [2], [3], [4], FIGURE 1. Security attacks on RIS-enabled wireless system. [5], [6], [7], [8]. A RIS, also known as intelligent reflecting surface (IRS), is a digitally-controlled planar surface consisting of large amount of low-cost and passive reflecting elements that can intelligently tune the amplitudes and phase shifts of incident signals [8], [9]. As compared to traditional wireless techniques employed at transceivers, RISs can smartly reconfigure the wireless propagation channel towards the intended users, thus boosting the received signal power [10], [11], [12], [13]. Since RISs offer more freedom by intelligently adjusting the phase shift and amplitude of the RIS elements, RIS-enabled communications outperform existing wireless communications. Accordingly, an intelligent reconfiguration of the wireless propagation environment improves system performance [14], [15], [16], [17].
However, despite the recent ground-breaking advances in wireless technology, B5G and 6G networks remain to be vulnerable to several types of security threats, such as pilot contamination attacks (PCAs), jamming, and eavesdropping [40]. To address these concerns, different approaches to mitigate privacy and security threats to 6G networks have recently been proposed, such as physical key generation, RIS deployment, artificial noise generation, and frequency hopping. Among them, RISs were reported to be capable of reshaping wireless environments without incurring huge costs and adding complexity, which makes them suitable for deployment in B5G and 6G systems [41], [42].
According to several state-of-the-art reviews, RISs are useful in terms of improving physical layer security (PLS) performance metrics [43], [44], [45], [46], [47]. The RISs signal manipulation capability can enhance the PLS of the wireless networks by smartly reconfiguration of the channels of both the legitimate and eavesdropping users. Moreover, the RISs can also boost the signal beam at the intended receiver and suppress the beam at the eavesdropper making the wireless network secure. However, deploying RISs may create new security threats in the 6G network that must be tackled. E.g., instead of using RISs to enhance PLS and system performance, attackers or eavesdroppers (EAVs) can use them to deteriorate the performance of legitimate links or boost the performance of eavesdropping links, which can jeopardize security of the entire wireless system [48], [49], [50], [51]. Fig. 1 shows security attacks on a RIS-assisted wireless system consisting of the access point (AP) Alex that forwards traffic to the legitimate user (LU) Bob via RISs and UAVs in the presence of the eavesdropper Eve and a jammer attack. These attacks can severely degrade the performance of the RIS network. E.g., if Eve attacks the network, LU Bob cannot achieve a positive secrecy rate. Furthermore, the malicious jammer near the legitimate user Bob can attack a legitimate transmission by sending replayed or faked jamming signals to the Bob via RISs and UAVs, thus degrading the performance of LUs. This brings about new privacy and security threats arising from the deployment of RISs in 6G networks. Accordingly, in this paper, we aim to provide a comprehensive review of security and privacy threats from the perspective of RIS deployment in next-generation wireless systems.
From the security and privacy perspective, there has been extensive research on the applications of RISs to enhance the privacy and security of wireless communications, including systematic reviews on RIS-aided covert communications [55], RIS-assisted physical layer security in wireless networks [26], [27], [56], [57], and RIS-aided security in energy harvesting networks [58]. However, to the best of our knowledge, none of the previous studies has thoroughly reviewed security and privacy challenges associated with integrating RISs in promising applications of 6G networks. Therefore, this review is the first to provide a comprehensive analysis of security threats associated with RISs for cutting-edge 6G technologies, including mmWave, THz, D2D communication, IoT networks, multi-access edge computing (MEC), simultaneous wireless information and power transfer (SWIPT), and UAVs. Table 1 compares the scope of previous reviews and that of this paper.
The remainder of the paper is organized as follows: Section II provides fundamental details about the operation and applications of RISs in 6G with various security attacks. Next, Section III identifies the types of attacks on RIS networks and different techniques used to improve RISs' security and privacy. In Section IV, we investigate the PLS for RIS-aided networks. The paper concludes with a discussion of challenges and future research directions (Section V) and conclusions (Section VI). Table 2 summarizes the list of key acronyms used throughout in the paper. can reconfigure the incident signal phase to create a favorable wireless transmission environment [16], [17], [59], [60], [61]. For instance, a smart controller based on a field-programmable gate array (FPGA) controls RIS reflection adaptation. The controller serves as a gateway for communicating and coordinating with the base station (BS) through a separate wired or wireless link. The RIS first receives a signal from the BS and then reflects the incident signal through induced phase variations regulated by the controller. Eventually, the reflected signal and direct BS signal can be coherently added to either attenuate or boost the overall strength of the signal at the receiver. Overall, RIS architecture can be categorized into passive and active. Passive RISs do not process any information and only reflect the incident signal to facilitate communication between the receiver and transmitter. Passive RISs use passive reflecting elements to fully control the beamforming without amplification and are not associated with additional power consumption [62], [63], [64]. By contrast, active RISs can amplify reflected signals via amplifiers embedded in their elements [36], [65], [66], [67], [68].
RISs have several potential advantages over other wireless technologies, such as multiple-input-multiple-output (MIMO) relaying, backscatter communication (BackCom), and conventional relaying [50], [69], [70]. For instance, conventional relaying requires additional power in order to transmit, amplify, and regenerate the signal. By contrast, a RIS passively reflects the incident signal by inducing phase shifts without requiring any additional radio frequency (RF). Furthermore, the RIS functions in the full-duplex (FD) mode that is free of self-interference and noise amplification. Furthermore, unlike conventional BackCom like RF identification (RFID) tags, the RIS modulates information on the incident signal, and then the modulated signal is backscattered to the receiver.
Furthermore, contrary to MIMO relaying, RISs are associated with relatively low power consumption and hardware costs. Although MIMO relaying can achieve a higher signalto-noise ratio (SNR) than the RISs [24], [71], [72], the SNR of an RIS-aided system can be improved by increasing the number of reflecting elements. In addition, the cost of one reflecting element of an RIS is considerably lower than that of one antenna element in MIMO relaying. Finally, due to the conformal geometry, RISs are lightweight and can be mounted on building facades, walls, ceilings, and so forth, which makes them a promising approach to improve the capacity of future 6G networks [73], [74].

B. SECURITY AND PRIVACY IN RIS-ASSISTED 6G APPLICATIONS
The RIS-assisted 6G network will require modification in its security architecture with the integration of space-airground-sea integrated network (SAGIN) architecture to satisfy the requirements of novel applications [40]. In particular, the third-generation partnership project (3GPP) considered the architectural design for the non-terrestrial networks, anticipating a close integration between aerial, satellite, and terrestrial networks [81]. Specifically, 3GPP release 16 defined the standardization of non-terrestrial networks for the nextgeneration network [83]. Moreover, new security aspects and modifications were also defined by 3GPP in release 18 [82]. Moreover, new security aspects and modifications have been also defined by 3GPP in the release 18 [83].
As can be seen in Table 3, robust PLS can be a gamechanger for protecting 6G networks from several security threats [84], [85], [86], [87]. Since the physical layer is a keystone of wireless communications, numerous traditional security attacks, such as jamming and eavesdropping that affect almost all 6G applications, can be prevented by protecting physical-layer information. A recent study that evaluated the advantages of RISs in terms of wireless security improvement found that RISs can improve PLS by reconfiguring the phase shift and amplitude of reflecting elements to add wireless signals destructively at a potential EAV and constructively at a legitimate receiver (LR) [88].
Furthermore, RISs were also reported to be a promising approach to preserve privacy during wireless communication [55], [89]. This can be achieved by using the low probability-of-detection or covert communication [90], which attempts to hide wireless transmissions (e.g., hide the location of the transmitter or avoid exposing a transmitter) from a warden, thereby attaining a high level of privacy. RISs can also adjust the amplitude or phase shift of their reflecting elements to intentionally create a spatial null around the warden and, by doing so, achieve a high communication covertness [88].
However, despite the benefits of RISs briefly reviewed above, RIS deployment in 6G networks is subject to certain security constraints [40], [63], [91], [92]. For instance, when EAVs and LUs have highly correlated links, the secrecy rate attainable using RISs is quite limited [93]. RISs add beamformed signals destructively at the EAVs and constructively at the intended user. However, this processing approach is not always trivial and can complicate the entire system. Moreover, this approach additionally requires the use of other signal processing techniques to detect incoming symbol vectors from the user, estimate the channel between the RIS and the user, and track the user's location. In the absence of the corresponding sophisticated algorithms, an accurate signal beamforming is not attainable, and the entire system is exposed to several security risks. Furthermore, RIS security also needs to be addressed for 6G network PLS, as an attacker can physically or remotely access the RIS controller and modify configuration parameters. Furthermore, the attacker can put itself close to the RIS and use the correlated channel to eavesdrop on the incoming signals [93]. In the next section, we review different types of security and privacy threats on perspective applications of RIS-enabled 6G networks.

C. APPLICATIONS OF RISs IN 6G FROM SECURITY PERSPECTIVE
The evolving RIS-enabled wireless network was previously reported to have promising applications in various scenarios (see Figs. 2 and 3). In what follows, these scenarios are discussed in further detail. Table 4 summarizes major types of security and privacy attacks in RIS-assisted 6G applications.
1) THz and mmWave: The first scenario involves completely blocked users unable of communicating with the BSs. In such conditions, RISs can create a strong LOS channel between the sender and the receiver and combat the transmission distance constraint. This capability of RISs is particularly helpful in addressing the coverage extension issues arising in THz and mmWave communication systems because of these bands' unfavorable omnidirectional path losses. Moreover, RISs also increase the channel rank, received power and, consequently, spatial diversity required for outdoor systems. However, in mmWave/THz scenarios, RISs can also lead to security attacks such as eavesdropping attacks where eavesdroppers can attack the RIS to user link and transmitter to RIS. Several previous studies on EAV attacks on a single RIS  environment assumed a perfect eavesdropper channel state information (ECSI) for THz system (e.g., [94], [95], [96]). However, in practice, obtaining a perfect ECSI for the envisioned 6G environments is impossible due to channel estimation errors or untrustworthy behaviors of the eavesdropper. Moreover, due to imperfect ECSI, the narrow beam width characteristics of THz waves can cause information leakage. 2) Cell edge: The second application scenario consists of a RIS-assisted network where users are located at the edge of the cell that can experience co-channel interference from neighboring BSs and a high signal attenuation from its BS [97]. In this scenario, the RIS can mitigate eavesdroppers' impact by properly cancelling their signal and thus boosting the communication system's security. For instance, the RIS technology was previously used to improve communication system security and mitigate jamming interference [98]. However, in such scenarios, users at the cell edge can suffer from the NLOS communication channel, and malicious multi-antenna jamming attacks can interfere with transmissions by sending replayed or faked jamming signals [99]. 3) Device to Device: The third scenario involves D2D networks [100] where the RISs are used to support the requisite low-power transmission, cancel interference, and enhance individual data links. The RIS-enabled D2D network in a downlink transmission scenario can be exposed to passive eavesdropper and jamming attacks where the D2D transmitter forwards information symbols to the D2D receiver and BS. 4) IoT networks: The fourth scenario involves RISassisted IoT systems (e.g., [101]) that can alleviate energy budget issues in energy-constrained IoT networks and compensate for power losses over long distances through passive RIS beamforming. However, RIS-assisted IoT networks are vulnerable to cooperative attacks between EAVs and malicious jammers (MJs) capable of degrading the system performance. Specifically, the MJs can perform jamming attacks on RISs and BSs, thus complicating the decoding of information [102]. 5) NOMA: The fifth scenario involves 6G NOMA systems (e.g., [97], [103]). In these systems, RISs can help to increase the number of served users and improve the communication rate, which is a key requirement for these systems. Yet, RIS-assisted NOMA networks are exposed to internal and external eavesdropping security attacks. NOMA users with high power are exposed to external EAVs, while their broadcasted information can be leaked to the internal untrusted EAVs due to successive interference cancellation [104]. 6) Cognitive radio: The sixth scenario is related to cognitive radio (CR) networks [105] where RISs can be employed to increase the degree of freedom so as to further boost network performance [106]. As secondary users share the channel sensing via a common control channel (CCC), intruders can perform jamming attacks such as denial-of-service (DoS) on the CCC in RIS-assisted CRs (RIS-CRs) [107]. Moreover, EAVs can perform security attacks and obtain the CSIs of the wiretap links in RIS-CRs. 7) Multi-access edge computing: The seventh scenario includes using RISs in MEC systems, wherein RIS deployment is used to improve spectral efficiency and energy efficiency (EE). For instance, as reported in several previous studies, mobile users' transmit power can be minimized by considering an infrastructure in which machine learning tasks are offloaded to MEC server [108], [109]. However, due to broadcasting nature of EM signals from RIS-MEC network, the offloading of data can be intercepted by the malicious eavesdropper [110]. 8) UAV: The eighth scenario involves the UAV networks where RISs can be deployed to improve the quality of communication between ground users and the UAV, which can result in system performance optimization [111]. In a RIS-assisted UAV network, the eavesdropper and unreliable UAVs can perform security and privacy attacks (e.g., cooperative jamming attacks) and degrade network performance [112]. 9) SWIPT: The ninth scenario of RIS-assisted communication pertains to the SWIPT (see Fig. 3). In such systems, the RIS phase-shift matrix can be formulated to improve the strength of the signal at the energy receivers in the charging zone to ensure compliance with the energy harvesting requirements [113]. SWIPT networks are exposed to two types of EAD attacks: active and passive [114], [115]. In the active EAD attack, attackers can mislead the BS to forward the signal to the EAD instead of LUs. Moreover, the EAD can act as a LU and forward the pilot signal to the BS in SWIPT systems. The passive attack is challenging, since, due to imperfect CSI, EADs cannot be detected at the BS. 10) Satellite networks: The next scenario is related to the deployment of low earth orbit satellites and highaltitude platforms that have emerged as a potential solution for low-latency and ubiquitous communications. However, constraints of such deployment include dynamic propagation environment and high probability of blockage. These concerns could be addressed by using RISs-assisted non-terrestrial communication as a cost-effective solution. Specifically, RISs can provide controllable propagation environment and bypass blockages to improve capacity in satellite communication [116], [117]. In the scenario when the eavesdropper is very close to the legitimate node, satellite communication is exposed to eavesdropping attacks [118]. In that case, the communication channel between the space wiretap channel and space legitimate channel are similar and are exposed to eavesdropper attack. 11) Integrated sensing and communication: Finally, the deployment of RISs in ISAC provides significant performance improvements with regard to spectral efficiency, interference suppression, and target detection [119], [120]. RIS-aided ISAC improves target parameter interference suppression and NLOS target detection. However, due to LOS-dominated airground communication channels, RIS-assisted ISAC is vulnerable to jamming and eavesdropping attacks. Moreover, malicious and unauthorized UAVs also pose new security attacks to ground ISAC communication networks [121].

III. ATTACK AND THREATS IN RIS-AIDED WIRELESS SYSTEMS
Exploitation of RISs by malicious sources may pose various privacy and security threats to future wireless systems. In this section, we discuss different security threats that RISs can face. Furthermore, a discussion of PLS is most important here, as major beamforming operations occur in the physical layer of RIS devices. In addition, we also review security issues associated with network layers. The major reason of this review is that most of the data from IoT and sensing devices associated with UAVs are processed by the network layer in accordance with the corresponding protocols to successfully transmit the information to destination. However, if the attacker tampers the destination address, the data will be transmitted to the wrong address, and the RIS will be used for an unintended signal transmission. Table 5 summarizes potential RIS-based security threats and possible countermeasures.

A. PILOT CONTAMINATION ATTACK (PCA)
In previous research, RISs were reported to demonstrate a great potential in offering more flexibility for wireless communications. Namely, owing to their no power consumption and no added thermal noise during reflection, RISs can enhance energy and spectrum efficiency [19]. However, more threats to multiple-antenna systems can emerge. Theoretically, the reverse pilot transmission phase involves capturing the CSI of RISs [131]. In a recent study, Huang and Wang [122] proposed a novel PCA strategy during the pilot training phase where Eve exploited an RIS to perform a PCA. The results of this study revealed that Eve might use an RIS to deteriorate performance of the wireless system. Eve can also use RISs to attack the reverse pilot transmission phase of a time division duplex system without any information about the pilot sequence, as well as to reflect pilot sequence transmitted to LU Alex by LU Bob. Technically, the existing random orthogonal pilot [132], [133], artificial noise or random data [134], [135], and random modulation [136], [137] methods fall short of the RIS-assisted PCA (RIS-PCA) scheme, as all these methods require a difference in the signal sequence sent by Bob and Eve. Furthermore, an RIS-PCA attack alters channel estimation results, which then deteriorates transmission performance in the downlink transmission phase and thus enables the eavesdropper to obtain confidential details using a pilot spoofing attack.
Considering seriousness of the threat presented by PCAs to multiple-antenna systems, different approaches were previously proposed to detect PCAs and ensure secure transmission under such attacks [136], [137], [138]. However, existing countermeasures for PCAs do not work for RISbased PCAs, as Eve is not required to have details about the pilot sequence of Bob, thereby posing serious security threats to the legitimate wireless network. Because of the notable differences between classic PCAs and RISbased PCAs, it is essential for the RIS-based variant to identify possible countermeasures. Inspired by these observations, Huang and Wang [122] proposed a novel generalized cumulative sum (GCUSUM) scheme-namely, a sequential process for detecting the occurrence of RIS-based PCAs. In the analysis of the worst-case average wiretapping throughput gain, worst-case average detection delay, and average run length to false alarm of the GCUSUM scheme, the authors obtained noteworthy results. Moreover, Huang and Wang [122] also presented a cooperative channel estimation scheme to ensure secure transmission when under an RIS-based PCA.

B. PILOT SPOOFING ATTACK (PSA)
A PSA attack introduces novel challenges for secure transmission at the physical layer. A PSA attack is a type of active eavesdropping wherein the identical training sequences are launched to manipulate the channel estimation result during the pilot training phase [139]. While this technique cannot be performed without detailed information regarding the pilot sequence, a random pilot sequence can be created to detect a PSA. However, RISs and the real-time-programmable attributes of wireless channels offer innovative opportunities for efficient pilot spoofing. Owing to the ease of accessibility of the communication protocol, an RISs control method might be seamlessly embedded in the protocol that allows malicious individuals to use RISs to manipulate the wireless channel. After tempering the protocols, the reciprocity of the downlink and uplink channels can be obliterated, thereby leaving to potential additional threats to the legitimate communication [123].
While Huang and Wang [122] already mentioned the idea of an RIS-assisted spoofing attack, they did not find anything the maximization of wiretapping capability. Yang et al. [123] proposed a new pilot attack strategy that uses an RIS in a three-node model. In this model, the RIS is placed close to the LUs to passively reflect the legitimate signal. The control scheme is embedded in the communication process in the time division duplex mode to facilitate the eavesdropper conducting pilot spoofing. Channel reciprocity fades away because the RIS phase shifts are varied during the downlink and uplink phases, and the beamforming vector's bias towards the EAVs is increased. Yang et al.'s [123] results indicated that this approach can generate severe security threats with no energy footprints. Furthermore, the internal users' lack of proper RIS employment was found to potentially lead to other serious concerns.
Overall, countering the RIS-aided PSA attacks is associated with two major challenges: (i) uncertainty in terms of noise present during PSA detection that can damage the known energy-based signals detectors; and (ii) uncertainty in channel distribution information that invalidates the statistic feature-based PSA detection schemes. With this in mind, Liu et al. [140] devised a three-step training procedure to address PSA attacks on RIS-assisted systems. In this study, the detector was used to examine the signal power levels received at the transmitter to reliably detect the PSAs. The proposed three-step training method did not need any prior information about the noise variance and could acquire the CSI of illegitimate and legitimate backscatter channels. Although the theoretical analysis of the proposed scheme's efficacy was conducted, the scheme was a prototype. Accordingly, further research is needed to address several practical concerns, such as the efficient design of a feedback process in a backhaul link or the random binary sequence for RIS-enabled MISO systems.

C. JAMMING ATTACK
In an important recent study, Lyu et al. [124] presented another adverse RIS application for modern wireless systems involving an RIS used as a green jammer to attack the communication between two authorized parties. Contrary to several recent studies where RISs were adopted to boost the secrecy rate at the LR [93], [141], [142], Lyu et al. proposed using RIS-assisted jammer to degrade the signal-tointerference-plus-noise ratio (SINR) degradation at the LR. Furthermore, unlike in the traditional active jamming attacks that use their internal energy to bombard the victim system with strong noise signals, the RIS-enabled jammer proposed by Lyu et al. used the victim system's signals for the attack by altering their phase shifts and reflection coefficients. The RIS-based jamming attack left no footprint as it interfered with the system, which made its detection and prevention more tricky and cumbersome. Lyu et al. [124] showed that, under certain circumstances, their proposed RIS-based jammer outperformed classic jamming attacks, particularly when there was a small distance (<10 m) between Bob and the RIS.
Overall, cooperative jamming is a technique used to tackle eavesdropping and jamming attacks so as to increase communication network security. In this jamming technique, the main station transmits the information signal to the LUs. By contrast, the relay node transmits the jamming signal to interrupt the communications channel for EAVs. Cooperative relaying or jamming differs from normal jamming in that it increases network security by establishing a secure channel between end nodes. Several known cooperative relaying or jamming techniques include decode-and-forward and amplify-and-forward.

D. ENVIRONMENT RECONFIGURATION ATTACK (ERA)
Staat et al. [126] introduced a new type of jamming attack on modern wireless network, named the environment reconfiguration attack (ERA). In this attack, an RIS is exploited by an adversary to swiftly change the electromagnetic propagation environment and create disturbance for LRs. Through reflecting available legitimate signals, the RIS provides the adversary with a significant advantage over conventional jamming. Accordingly, the adversary no longer needs to actively emit of jamming signals. Staat et al. [126] proposed orthogonal frequency division multiplexing (OFDM) modulation to comprehensively examine the ERA. The authors also presented an optimization algorithm to improve the ERA's jamming performance. The results of the aforementioned study revealed that, even with a very small RIS, the ERA could severely degrade the available data rates.
Staat et al. [126] further argued that their ERA has a higher practical value than the previously proposed RISbased jamming techniques [124] that require the attacker to know all details about the involved channel states. Indeed, as documented in the literature [7], [9], [19] [126], obtaining such details is not feasible. Thus, the ERA approach [126] eliminates this impractical channel knowledge requirement for the attacker and achieves a significantly better jamming performance.

E. MANIPULATION ATTACK
In another relevant study, Hu et al. [125] presented a novel RIS-aided manipulation attack to reduce the key generation rate (KGR); in this attack, the active attacker Eve performs rapid RIS phase changes to manipulate the wireless environment. To analyze the weakness of conventional key generation technology subject to this type of attack, the authors used the channel frequency response coefficient. Hu et al. [125] introduced a path-separation-based slewing rate detection process to counter RIS-enabled manipulation attacks. This process involves removing the compromised path from the time domain and using a flexible quantization method for KGR maximization. The simulation results showed promising performance of the proposed process in terms of successful detention of the attacked path; the authors also argued for further improvement of their process improved upon in future studies.

F. SIGNAL LEAKAGE AND INTERFERENCE ATTACK
Wang et al. [51] proposed a novel concept-illegal reconfigurable intelligent surface (IRIS) involving the illegitimate use of an RIS. Two important security issues-namely, interference and signal leakage-were investigated in the case of IRIS presence.
Signal leakage represents the scenario where an IRIS is used to improve the eavesdropping data rate and increase the information leakage to the EAV. In a traditional wireless system, an IRIS can be used by the EAV to reflect the environmental signal, as well as to collect the transmission signal that cannot be received earlier. The IRIS can passively enhance communication quality of illegal links and degrade the performance of PLS without generating an extra RF signal. Therefore, it is rather difficult to detect and prevent signal leakage. The concept pf signal leakage mainly focuses on acquiring more legal signals leaked from the AP to boost the EAV's wiretapping capability. This is different than RISbased jamming [124] where the signal power received at the LU is reduced through the destructive addition of signals from the RIS and AP.
While RISs are used for PLS improvement, it is difficult to achieve a good system performance, as the legitimate system cannot control IRIS-aided interference links. Moreover, using an IRIS to transmit interference signals-referred to as interference attack-can severely degrade the SINR at the LU. Likewise, it is almost impossible to cancel interference signals from IRIS. This situation can severely hinder the channel estimation and data transmission process. While a pilot symbol is sent to the LU by the AP during the channel estimation process, the attacker can use the IRIS to send another pilot symbol. If the attacker uses a high transmit power and the IRIS is reasonably optimized, it can control the training phase and degrade the channel estimation accuracy [51].
Another major challenge to is IRIS-based interference and signal leakage attacks, i.e., joint optimization of the beamforming vector at the AP and imperfect CSI-based RIS phase shifts. In most previous studies on RIS-aided PLS optimization, the CSI of illegitimate and legitimate links was assumed to be perfectly known [41], [42], [143]. Therefore, joint optimization for wireless networks that incorporates IRIS and RIS has to be redesigned assuming imperfect CSI for legitimate links and no CSI for illegitimate ones. Admittedly, addressing this concern will increase the complexity of the optimization problem and severely restrict the improvement in the performance attained through joint optimization. In addition, IRIS deployment further improves communication quality of illegitimate wireless systems and, in turn, further degrades PLS performance. The simple joint optimization of RIS phase shifts, and beamforming vector at AP is not sufficient to relieve the considerable effect brought by IRIS. In this context, in order to safeguard transmission in IRIS-based threats, it becomes imperative to investigate innovative ideas. In one study seeking to do so, Wang et al. [51] introduced an artificial noise (AN) assisted solution based on joint optimization to alleviate PLS degradation caused by the IRIS. The basic concept behind the AN technology was integrating the noise signal with the information signal. The legitimate channel and noise channel were kept orthogonal. Without affecting LUs, the noise signal only obstructed all possible EAVs regardless of the location detection of IRIS and EAVs. This would eventually improve the wireless system secrecy rate, reduce the data rate at EAVs, as well as secure the transmissions against IRISs and EAVs.

G. UNAUTHORIZED ACCESS AND ATTACKS ON RIS CONTROLLER
RISs may be subjected to many incident signals from different network nodes, including those generated and transmitted by malicious users. If a network's RISs are not equipped with a proper identification system, a malicious signal transmitted to LUs will affect their decision-making. For instance, if false information about traffic is transmitted to and used by an ambulance, the patient's condition might further deteriorate [128], and a tactical situation might get complicated if unauthorized personnel use RISs in a tactical network.
Moreover, intruders can also attack tunable chips of the RIS. The primary function of these chips is to reconfigure the phase and amplitude of signals to successfully reach their destination. The role of the adversary is to change the parameters so that the signals containing information get diverted from their original propagation path [129]. The adversary can gain remote access to the RIS controller that controls chip parameters through malware injection. Similarly, using meta-surface control functions, the eavesdropper can also attack wave manipulation or modulation techniques used to create multiple reflections of the incoming signal, with different phases and amplitudes. By adjusting the controller functions, the adversary can change the movement of RISs so as to cause a destructive interference. This will completely corrupt informative signals, and the end user will receive only disrupted signals containing noises [130].

IV. PHYSICAL LAYER SECURITY FOR RIS-ASSISTED NETWORKS
Available research on RIS-related security threats is still in its infancy. To date, very few studies have addressed possible countermeasures for the potential threats to RISs. In this section, these studies are reviewed in further detail. Tables 6 and 7 summarizes the PLS in RIS-enabled wireless and non-terrestrial networks.

A. RIS-ASSISTED WIRELESS NETWORKS
Wang et al. [144] proposed a semi-definite programming relaxation technique for robust cooperative jamming and beamforming design with eavesdroppers under an imperfect CSI to maximize EE. The proposed technique achieved a higher EE in an imperfect CSI with eavesdroppers. In another relevant study, an alternating optimization algorithm was proposed to design an optimal phase shift of RIS and beamforming for BS [41]. This system model considered a RIS-assisted wireless network with multi-antenna eavesdropper and a single-antenna LU. Simulation results revealed that the model achieved a higher secrecy rate even in the presence of eavesdropper. Furthermore, Chen et al. [42] proposed an AO technique to maximize the SR in a downlink MISO broadcast network with multiple eavesdroppers. According to the results of simulations conducted under various practical constraints on RIS reflecting elements, the proposed technique achieved a higher SR with an improved PLS. A semidefinite programming relaxation and policy gradient descent technique was proposed to achieve higher secrecy rate while minimizing the transmission power [145]. The simulations were conducted in rank-one and rank-rank channels scenarios in the RIS-MISO model. The results showed an improved PLS and an improvement for the transmission power and secrecy rate. Furthermore, aiming to maximize the SR while satisfying the unit-modulus constraint on passive beamforming at RIS and transmit power constraint at the beamforming of BS, Zhou et al. [146] proposed successive convex approximation (SCA) to design a robust secure system under the transceiver hardware constraints. Simulation results showed that proposed technique achieved a higher SR and was more robust to the hardware constraints than the traditional techniques that do not consider the effect of hardware impairments. Finally, Si et al. [147] formulated the problem of maximizing the covert transmission rate as SDR to jointly optimize the RIS phase shift and transmit beamforming. Numerical results revealed that proposed optimization technique achieved a higher covert transmission rate and improved the PLS of RIS-assisted wireless network.

B. RIS-AIDED INTEGRATED SENSING AND COMMUNICATIONS
Deployment of RISs in ISAC networks yielded promising results, as it can create a virtual LOS communication links for both sensing and communication to enhance the capacity. While several previous studies investigated the role of RIS in ISAC and their potential in increasing the target sensing capability [156], [157], [158], in most of this research, it was assumed that the target cannot intercept the transmitted signals. In ISAC networks, the transmitted signal contains both sensing and communication signals that can be intercepted by intruders. Furthermore, employing AN at the transmitting nodes, Su et al. [159] developed a PLS framework and formulated the optimization problem as fractional programming (FP) to minimize the SINR at the radar targets and to maximize the secrecy rate in the ISAC network. The numerical results revealed that, although highest secrecy rate was achieved, the model considered that both perfect CSI and precise location of the target were known at BS. This makes the PLS techniques developed for the traditional ISAC networks not applicable in the presence of RIS. In another relevant study, Hua et al. [160] investigated the RIS-assisted ISAC system for improving the PLS while considering the communication and sensing mechanism. A penalty-based algorithm was proposed to jointly optimize radar beamformers, RIS phase shifts, and communication beamformers to maximize communication and sensing considering multiple communication users and an eavesdropping target. The simulations results achieved tolerable information leakage to the eavesdropping target and minimum SINR for users.

C. RIS-ASSISTED NON-TERRESTRIAL NETWORKS
Next-generation communication networks can achieve ubiquitous and user-centric connectivity for 6G networks through orchestration of non-terrestrial and terrestrial networks [161]. In what follows, we discuss PLS for nonterrestrial networks from UAV and satellite communication perspectives.

1) UAV NETWORKS
Fang et al. [150] proposed an iterative technique for a robust design to optimize the trajectory of UAV and phase shift of RIS under the eavesdropper. The RIS-assisted UAV framework achieved an improved secrecy rate for the transmission and improved the PLS security. Furthermore, Li et al. [151] presented three algorithms-namely, S-procedure, SCA, and SDR-to improve the PLS and secrecy rate of the network. The proposed algorithm was found to optimize the users' transmit power, beamforming of RIS, and trajectory of UAV in the presence of eavesdropper under an imperfect CSI. A convex approximation technique was proposed to optimize the phase shift of RIS and trajectory of UAVs under the eavesdropper [152]. The proposed algorithm maximized the secure EE and PLS of the network. In another study, Fang et al. [153] developed a robust secure framework to improve the PLS of RIS-assisted UAV framework to maximize the secrecy rate, proposing the AO to optimize the UAV trajectory and transmit power, and phase shift of RIS with the presence of an eavesdropper. Numerical results showed an improved secrecy rate in RIS-assisted UAV network. Furthermore, Sun et al. [59] proposed an AO algorithm to design the beamforming of RIS and UAV BS for RIS-UAV assisted mmWave network to maximize the SR in the presence of eavesdropper. The results showed that, as compared to other techniques, the proposed approach achieved a higher secrecy rate.

2) SATELLITE NETWORKS
Xu et al. [60] developed an AO technique to minimize the destination SINR at the eavesdropper to limit the maximum interference at the satellite user and guarantee reliable signal strength at the terrestrial network user. The simulation results achieved a higher secrecy gain and significantly reduced the target SINR at the eavesdropper. In an another study on the role of integrating RIS with space-air-ground integrated network (SAGIN), Xu et al. [154] found that RIS-aided SAGIN can significantly improve the connectivity, wireless coverage as well as the PLS. Furthermore, in an investigation on the deployment of RISs to improve the PLS in satellite communication system, Ngo et al. [155] proposed a two-hop content delivery technique to improve the secrecy rate from the ground station to satellite communication by deploying RIS.
The aforementioned PLS technique developed for RIS network assumes protecting the transmitted data against the eavesdropping. However, privacy issues cannot be addressed by merely considering the presence of transmissions. To properly address the issue, the covert communication paradigm capable of preserving a high level privacy and security in RIS was introduced [90].

D. RIS-ASSISTED COVERT COMMUNICATION
In a study introducing a penalty successive convex approximation (PSCA) algorithm to design the RIS reflecting coefficient and transmit power considering the covertness communication without Willie's instantaneous CSI and global CSI, Zhou et al. [89] found that RIS-assisted networks can outperform traditional networks in the context of covert communication. Furthermore, Wu et al. [9] proposed a one-dimensional search method to optimize the optimal RIS reflection amplitude and transmit power in RIS-aided covert network. The model assumed that Willies statistical CSI is available globally. Numerical results showed that the proposed technique achieved maximum covertness as compared to the condition without the use of the RIS approach. Several other studies proposed an RISassisted framework for covert communication in NOMA network [55], [149]. The proposed approach was found to be capable of varying the legitimate information transmission environment from the malicious detection and increasing covert communication. Extant research on RIS-enabled covert communication considers only either the presence of channel information uncertainty or noise information uncertainty at the eavesdropper. Moreover, in another paper, [148] considered channel information uncertainty at the legitimate transmitter and noise information uncertainty at the eavesdropper. However, due to calibration error, as well as variation in the environmental noise and temperature, channel information uncertainty and noise information uncertainty at the eavesdropper could not be avoided. To address the issue, Zou et al. [148] proposed a SDR technique for covert communication under the noise information and channel information uncertainty constraint at the eavesdropper. The corresponding simulation results revealed that, as compared to baseline schemes, the proposed technique achieved a higher covert communication.

E. CASE STUDY
The performance of PLS with a RIS-empowered system is evaluated in terms of the average secrecy rate compared to the baseline scheme without RIS architecture. The scenario allows a maximum tolerable channel capacity for all eavesdroppers. We assume an equal maximum tolerable channel capacity for all eavesdroppers. Fig. 5 shows that the system secrecy rate is almost zero when RIS is not deployed. This is due to the weak LOS between legitimate users and AP. In other words, secure wireless communication cannot be achieved for blocked users due to an unfavorable wireless propagation environment. Furthermore, the RIS-empowered wireless system achieves a higher average secrecy rate than the RIS-free environment, which confirms that deployment of RIS can make the wireless system more secure.

V. CHALLENGES AND FUTURE RESEARCH DIRECTIONS
6G network can be a promising paradigm to significantly boost privacy and security of wireless communications. Emerging as a potential solution for B5G and 6G networks, RISs can improve communication performance by dynamically tuning phase shifts of the transmission signal. However, due to RIS elements' simpler configuration and costeffectiveness, RIS-enabled systems are vulnerable to several types of security threats. In this section, we provide a succinct summary of current challenges and future research directions to address privacy and security concerns of RISenabled 6G communication systems (see Table 8 for a summary).

A. AI-ENABLED PRIVACY PRESERVING TECHNIQUES
The evolution of 6G technology is expected to lead to a massive increase in AI-based smart applications that will require customized context-aware privacy solutions. Because of complexity and diversity of new privacy challenges, traditional privacy-preserving techniques might not perform well for RIS-assisted next-generation wireless applications. In this context, in order to adequately address the growing privacy and security concerns in modern wireless networks, it is imperative to identify innovative ideas.
One such promising solution to preserve privacy of RIS-enabled future wireless systems is distributed ledger technologies, such as Blockchain. Blockchain offers many privacy and security features, including anonymity, verifiability, transparency, and immutability. It also provides access control optimization, secure data sharing, effective monitoring, traceability, as well as ensures integrity of data and efficient accountability [162].
Another actively investigated research topic to ensure privacy protection is federated learning (FL) [163]. FL is a distributed ML technique that can locally train models using a generated source with a massive volume of data. Instead of sending a raw dataset for training, each learner in local networks forwards their aggregated weights to a global FL model. By means of following the idea of bringing the code to the data, instead of the data to the code, FL can address some of the major challenges associated with data locality, data ownership, and data privacy [164], [165]. Several recent studies [166], [167] have leveraged FL algorithm in RISaided systems and obtained promising results. Owing to their privacy-preserving characteristic, FL algorithm is expected to yield noteworthy results in terms of secure design and deployment of multiple RISs in 6G systems, which makes these algorithms a potential domain for further research. In the context of attempts to achieve a higher accuracy along with privacy in 6G networks, deep reinforcement learning (DRL)-based FL and transfer FL techniques are getting more scholarly attention. The main reason for using DRL-based FL techniques for privacy is that these techniques can explore the environment and provide a real-time remedial solution for privacy preservation when under attack.
Another possible solution to address the challenges anticipated in future 6G applications is privacy protection using differential privacy (DP) schemes [168], [169]. The DP operation involves perturbing actual data using artificially designed random noise functions prior to transmitting the final output to the allocated server, thus preventing attackers from conducting received data analysis and capturing personal details from user data. Integrating RISs with DP techniques can preserve end users' privacy while maintaining quality communication. However, while further research in this direction may lead to significant improvements in the performance of 6G systems while ensuring user privacy, available research on this topic remains very limited [91]. Another way to secure communications is using homomorphic encryption techniques where public and private keys are distributed among LUs. In that case, even if RISs are compromised and used to direct the signals to the unintended user, the adversary will not be able to decrypt the information.

B. INTEGRATED SENSING AND COMMUNICATIONS
In the ISAC network, both radar and communication signals are transmitted on the same frequency band, which makes data transmission to both radar targets and communication users more complex because of the higher risks of security threats by eavesdropper or unauthorized users. The use of RIS, which allows for intelligent tuning of the amplitude and phase shifts of the RIS elements to increase the LOS signal towards the legitimate user instead of the eavesdropper, can significantly enhance the PLS. However, existing RISaided ISAC networks assume known location and knowledge of RIS parameters and locations, which are challenging to acquire for mobile next-generations networks, such as the emerging THz and mmWave networks. In this respect, datadriven techniques such as DL, RL and DT can be effective to learn the dynamic characteristics and parameters of the RIS-assisted ISAC networks to increase the PLS.

C. NON-TERRESTRIAL NETWORKS
Non-terrestrial networks will have highly mobile and dynamic characteristics due to mobility of space and aerial platforms, as well as random time-varying channels in underwater and maritime propagation media. Developing PLS is more challenging for RIS-assisted non-terrestrial networks, as it requires accurate channel estimation. Accordingly, further research on the role of intelligent signal processing and data-driven techniques such as DL, FL and RL would be needed for an accurate channel estimation in dynamic non-terrestrial networks.

D. DIGITAL TWIN
An important candidate for bridging the connection gap between digital systems and physical spaces is the digital twin, which involves the construction of digital replicas of physical units (e.g., physical objects, machines, devices, etc.) at the server based on their real-time running status and historical data [170]. A digital twin can facilitate reliable communication and real-time interactions between physical entities and digital space, thus leading to the operation optimization of physical systems. Although RIS is a key technology for 6G, an important challenge that remains is the optimal configuration of a large number of RIS elements. A digital-twin framework for RIS-enabled 6G wireless networks can allow for an optimally controlled automation at different granularities [171]. Digital-twin technology can also be used for the development of a practical RIS solution ensuring an improved security, privacy, and overall performance of RIS-assisted 6G systems. Accordingly, the RISs controller can be trained in a virtual environment under different attack scenarios to find out how to counter those attacks to ensure secure and stable communication between LUs.

E. SOFTWARE-DEFINED NETWORKING AND NETWORK FUNCTION VIRTUALIZATION
RIS-assisted 6G systems can unify the concepts of artificial intelligence, network function virtualization, and softwaredefined networking in a complex environment to not just provide the requisite services, but, most importantly, to ensure end-to-end network security [172]. Using AI to proactively detect threats and initiate the transfer of security functions throughout the RIS-assisted network, programmable interfaces may allow for the deployment of security functions, similar to virtualized network functions (VNFs), in a virtual environment using AI.

F. MULTI AGENT REINFORCEMENT LEARNING
Several recent studies have used reinforcement learning to achieve smart beamforming at the base station against eavesdroppers in complicated scenarios (RL) [2], [3], [173], [174]. However, RIS-assisted secure systems require the optimization of BS's transmitting beamforming and the RISs reflecting beamforming. Considering an imperfect CSI and multiple eavesdroppers, neither DRL nor RL has been explored for the optimization of the aforementioned two types of beamforming. In a recent study on an RIS-enabled secure communication system, Yang et al. [175] proposed a novel DRL-based secure beamforming strategy to maximize the secrecy rate of the system in the presence of multiple eavesdroppers while considering the LU's QoS requirements. This approach yielded promising results that pave a path for further research on the adoption of multi-agent RL to achieve improved secrecy rates in RIS-aided 6G communication systems.

G. QUANTUM COMMUNICATION
Another promising communication technology for 6G networks that can considerably improve the reliability and security of data transmission is quantum communication. An attacker's attempts to eavesdrop or replicate something in quantum communication results in an evident impact on the quantum state, so the recipient instantly becomes aware of the attacker's interference [176].
Theoretically, quantum communication can offer highlevel security for long-distance communications [177]. However, not all privacy and security problems can be solved using quantum communication. Despite substantial developments in implementing quantum cryptography, several major challenges in the materialization of long-distance quantum communications operation remain, such as errors and fiber attenuation. In this respect, Hu et al. [178] speculated that different innovative techniques and varied quantum encryption modes, such as quantum dense coding, quantum teleportation, quantum secure direct communication, quantum secret sharing, quantum key distribution, among others, might be required to ensure secure quantum communication. In another recent study, several quantum schemes that employ quantum key distribution models to protect key security were elaborated [179]. Incorporation of quantum technology in RIS-assisted 6G networks can also elevate the quality of communication to a level unattainable for conventional communication systems. However, research in this area is currently in its infancy, and plenty of work needs to be done.

H. PHYSICAL LAYER SECURITY
Security procedures embedded across different network layers might be jointly used to implement redundant protection. The evolving 6G technology can leverage PLS mechanisms to provide an additional protection layer in RIS-assisted systems with regard to novel enabling technologies. A budding technology for 6G in the healthcare domain is molecular communication. The main concept behind molecular communication involves the use of biochemical signals to transmit information [162]. Molecular communication handles very sensitive data with various privacy and security challenges associated with the encryption, authentication, and communication processes, which makes it indispensable to increase security of this technology. However, while several studies have identified key directions for secure molecular communication [180], [181], in order to achieve the results that the existing systems cannot offer, intensive research is needed to develop practical molecular communication schemes for RIS-assisted 6G networks.
Among the leading technologies for improving security in RIS-assisted 6G networks are THz communications (1GHz -10 THz). This frequency band is associated with an increase in the transmitted signals' directionality, which enables the confinement of illegitimate users on the similar constricted route of LUs for the signal interception and thus improves the physical layer security. Yet, vulnerabilities of THz communications include data transmission exposure, malicious behavior, and access control attacks. Accordingly, in order to secure THz transmissions, novel PLS solutions, such as the employment of devices at THz frequencies and electromagnetic signature of materials for authentication mechanisms, are needed [3], [182].

I. MEASURES AGAINST ILLEGAL RECONFIGURABLE INTELLIGENT SURFACES
In order to safeguard 6G communication against IRISbased attacks, several open research challenges need to be addressed. Some of these challenges include (1) passive jamming where an IRIS might be employed directly in authorized systems as a passive jammer to silently affect the PLS [124]; and (2) hybrid interference/leakage attack that is volatile and may result in catastrophic threats to PLS. What worsens the situation is that the traditional beamforming and channel estimation become non-functional under such attack.
Although AN technology has demonstrated significant results in countering IRIS-based threats [51], the impact of IRIS can be considerably stronger for the complex 6G systems. Therefore, preventing illegal deployment of RISs requires more powerful and effective countermeasures. Several potential directions include random phase-shift keying symbols-based detection mechanisms, angle-of-arrivalbased detection schemes, and so on. One more solution is the adoption of DRL, which is particularly useful for systems with time-varying and uncertain channels. In the DRL architecture, a decision to enhance the system's performance is made based only on the CSI of legitimate links and the current secrecy rate. If a proper learning strategy and valid neural networks are implemented, the CSI of illegal links may not be necessary for attaining optimum phase shifts configuration and beamforming policy. Yet another emerging technology for combating IRIS-aided attacks is using cooperative nodes that broadcast a joint orthogonal pilot sequence at UL channel estimation, which then mutually tries to reduce pilot contamination within the network.

VI. CONCLUSION
Privacy and security are key performance indicators of a wireless system. The enhanced Internet access of future wireless networks will massively connect those networks with heterogeneous networks of terrestrial nodes, satellites, physical and virtual telecom networks, enterprises, and so forth. In recent years, RIS has emerged as a key enabler technology for 6G, showing promising results in enhancing the overall security and privacy of wireless systems. However, RIS remains vulnerable to different security threats, and its use may result in detrimental interferences to wireless communications. This makes RIS a noteworthy example of how novel technologies can bring a shift in attack taxonomies, as previously complicated attacks become tractable. To date, exploitation of RIS as a malicious tool to attack wireless communication systems has not been sufficiently investigated in the literature. In this study, we analyzed unavoidable security threats to 6G networks arising from the illegal deployment and malicious use of RISs and, based on the results, identified open research challenges and potential future directions in this area. Accordingly, this study may serve as an important reference future research on 6G security, in general, and RIS-aided 6G systems, in particular.

ACKNOWLEDGMENT
Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not reflect the views of the Ministry of Education, Singapore.