Electromagnetic emissions from AI chips could be exploited to steal valuable AI models, according to new research from North Carolina State University. This novel technique, detailed in a recent paper, raises significant security concerns for AI developers and users. The researchers demonstrated the feasibility of their method using an electromagnetic probe, publicly available AI models, and a Google Edge Tensor Processing Unit (TPU).
The process involves analyzing the electromagnetic radiation emitted while the TPU chip processes data. This “electromagnetic signature,” as described by lead author and NC State Ph.D. student Ashley Kurian, reveals critical information about the model’s operation. Building and training a neural network is a costly and time-consuming endeavor, representing significant intellectual property. Stealing a model like ChatGPT, with its billions of parameters, circumvents these investments and poses a serious threat to AI companies.
This type of AI theft differs from the prevalent concern of copyright infringement, where AI models are trained on copyrighted material without permission. While that issue has led to lawsuits and countermeasures from artists, this new threat focuses on the theft of the model itself.
Deciphering the model’s hyperparameters, including its architecture and defining details, is the more challenging aspect of this technique. The researchers achieved this by comparing the electromagnetic data to data collected from running other AI models on the same chip. This comparison allowed them to identify the target model’s architecture and layer details with impressive accuracy, reaching 99.91%. Crucially, this research involved physical access to the chip for both probing and running comparison models, conducted in collaboration with Google to assess the vulnerability of their TPUs.
While Kurian suggests that this technique could potentially be applied to smartphones, the compact design of these devices would make monitoring electromagnetic signals more difficult. The implications of this research extend beyond TPUs. Mehmet Sencan, a security researcher at AI standards nonprofit Atlas Computing, notes that while side-channel attacks on edge devices are not new, the ability to extract entire model architecture hyperparameters is significant. Since AI hardware performs inference in plaintext, any model deployed on an unsecured edge device or server is potentially vulnerable to this type of attack.
This research underscores the need for enhanced security measures to protect AI models from electromagnetic eavesdropping. As AI models become increasingly valuable, safeguarding them from such attacks will be paramount.
