Recent research has exposed a critical threat to AI models’ confidentiality. A new side-channel attack method called “TPUXtract” enables attackers to steal AI models by analyzing electromagnetic (EM) signals emitted by Tensor Processing Units (TPUs). This discovery, made by researchers at North Carolina State University (NCSU), highlights significant risks for AI developers, including intellectual property (IP) theft and potential cyberattacks.
What is TPUXtract?
TPUXtract is a side-channel attack method that can infer the hyperparameters of a convolutional neural network (CNN) with remarkable accuracy—99.91%—by measuring EM signals from a TPU. Hyperparameters define the structure and behavior of a neural network, making them essential for recreating AI models. By extracting these hyperparameters, an attacker can reconstruct the entire AI model and, in some cases, even derive the data used to train it.
How the Attack Works:
The researchers demonstrated TPUXtract on a Google Coral Dev Board, which includes an Edge TPU for executing machine learning (ML) tasks on smaller, edge devices. Here’s a step-by-step breakdown of how TPUXtract functions:
- EM Signal Analysis:
- The TPU, like any electronic device, emits electromagnetic radiation during operation. Researchers used an EM probe placed directly on the TPU to capture these signals.
- Quantization Detection:
- Neural networks first compress input data before processing. The EM signal spikes when computation begins, helping identify the starting point for analysis.
- Layer-by-Layer Reconstruction:
- Neural networks consist of multiple layers, each with different configurations (hyperparameters). Instead of analyzing all layers at once—an impractical task—the researchers analyzed each layer individually by creating “templates” of possible configurations and matching them to the observed EM signals.
- Template Matching:
- For each layer, they generated thousands of possible hyperparameter combinations, compared these templates to the recorded EM signals, and identified the closest match. This iterative process allowed them to reconstruct networks with up to 242 layers within a single day.
TPUXtract threatens intellectual property (IP) by allowing attackers to steal and replicate AI models, bypassing the significant resources required to develop them. Competitors could recreate models like ChatGPT without costly infrastructure or training.
Beyond IP theft, TPUXtract exposes cybersecurity risks by revealing an AI model’s structure, which can help identify vulnerabilities and enable cyberattacks. It may also expose sensitive data, putting industries like healthcare, automotive, and IoT at risk.
Furthermore, the attack is complex and requires specialized equipment, including a Riscure EM Probe Station, high-sensitivity probes, and a Picoscope oscilloscope. Due to the technical and financial requirements, only well-funded groups, like corporate competitors or state-sponsored actors, can carry it out.
Defensive Measures Against TPUXtract:
Protecting AI models from side-channel attacks like TPUXtract is challenging but not impossible. The researchers propose several mitigation techniques:
- Introduce random “dummy operations” during inference to mask EM signals.
- Randomly reorder the sequence of layers during processing to confuse analysis.
- Run random operations alongside actual computations to obscure the EM signature.
- Future TPUs could incorporate shielding or hardware-level obfuscation to prevent EM leakage.
Implementing these measures requires collaboration between AI developers and hardware manufacturers to ensure robust defenses against side-channel attacks.
Conclusion:
TPUXtract represents a significant advancement in side-channel attacks, highlighting the evolving threats facing AI security. As AI models become more valuable, protecting them from theft and cyberattacks is paramount. Organizations must stay ahead by adopting defensive techniques, investing in secure hardware, and being aware of emerging threats. Failing to do so risks losing not just intellectual property but also the trust and security of their users.
About the author:
