Palm recognition has emerged as a dominant biometric authentication technology in critical infrastructure. These systems utilize palm-related biometric features, including palmprint and palmvein data, either individually in a single-modal setting or jointly in a dual-modal. Despite the different forms, they all employ similar hardware architectures that inadvertently emit electromagnetic (EM) signals during operation. Our research reveals that these EM emissions leak palm biometric information, motivating us to develop EMPalm - an attack framework that covertly recovers both palmprint and palmvein images from eavesdropped EM signals. Specifically, we first separate the interleaved transmissions of the visible (palmprint) and NIR (palmvein) modalities, identify the informative frequency bands of each modality, and then combine these bands to reconstruct the corresponding images. To overcome the strong noise and distortions inherent in side-channel acquisition, we further employ a diffusion model to restore fine-grained biometric features. Evaluations on seven prototype and three commercial palm acquisition devices show that EMPalm can recover biometric information from real human palms with high visual fidelity, achieving Structural Similarity Index Measure (SSIM) scores up to 0.79, Peak Signal-to-Noise Ratio (PSNR) up to 29.88 dB, and Fréchet Inception Distance (FID) scores as low as 6.82 across all tested devices. Compared with the best state-of-the-art method, which can only reconstruct palm-vein images, EMPalm improves overall reconstruction fidelity by 33% and uniquely supports high-quality recovery for both palmprint and palm-vein modalities. To assess the practical implications of the attack, we further evaluate the recovered palm images against four state-of-the-art palm recognition models through real-time experiments, achieving a model-wise average spoofing success rate of 65.30%.
