
NC State Researchers Unveil AI Model Stealing Method for Google Edge TPUs | Image Source: www.theregister.com
RALEIGH, N.C., 20 December 2024 – Researchers at North ​Carolina State University have developed an innovative technique to steal AI models that work on Google Edge Tensor Processing Units (TPUs). This disclosure raises significant concerns for the AI industry as ​the methodology allows attackers to reproduce high fidelity AI models ​at a ​minimum cost compared to their ​initial development. According to The Register, the attack takes advantage of lateral ​channel techniques that analyze the TPU’s electromagnetic emissions during ​inference processes.
Understanding the attack
The ​attack, detailed in a ​document entitled “TPUXtract: An Exhaustive ​Hyperparameter Extraction Framework”, was led by researchers Ashley Kurian, Anuj Dubey, Ferhat Yaman and Aydin Aysu. It focuses on the extraction of IV hyperparameters: pre-training values such as learning rates, batch size, and basin size that influence model formation. Unlike model parameters (e.g. weights), which are learned during training, hyperparameters are the basic parameters established in advance. The researchers claim that their method is the first global framework for the Google Edge TPU, a specialized accelerator deployed on Google Pixel phones and third-party machine learning devices.
Methodology
As ​Aysu said, ​the attack requires ​physical access to the target device, such ​as a Coral Dev Board with a ​Google Edge ​TPU. Using ​electromagnetic measuring tools ​such as Riscure’s hardware and a Piccope oscilloscope, the team recorded emissions during the ​model inference. These measurements were analyzed ​to sequentially extract the hyperparameters from ​each layer of the neural network, which were then introduced ​into the extraction framework to reconstruct a substitution model. The process exceeds raw ​force approaches, with more accurate results in less time.
“Because we stole the architecture ​and details of the layer, ​we could recreate the high-level features of ​AI,” Aysu explains. “Then we use this information to recreate the AI’s functional ​model, or a replacement very close to ​it. Researchers achieved a remarkable 99.91% accuracy by re-creating models such as MobileNet V3, Inception V3 and ResNet-50, with each layer requiring approximately three hours of treatment. These models, from 28 to 242 layers, represent a diverse set of architectures used in business and academia.
Industrial consequences
The potential ramifications of this discovery are profound. AI ​models, especially those developed by large technology companies, often require millions or even billions of dollars to design and train. The possibility of replicating such models seriously undermines intellectual property protection and poses risks to competitiveness. The Registry reports that although the parameter methods have existed before, the addition of hyperparametric flight allows attackers ​to create high fidelity duplicates, which poses an ​even greater threat.
“Our research shows ​that an ​opponent can ​actually reverse the hyperparameters of a ​neural network by observing its EM emanations during inference, even ​in a ​black box,” the researchers wrote. They also noted that the absence of memory encroachment in devices such as the Coral ​Dev Council exacerbates vulnerability. Google, when it came to comment, acknowledged the ​knowledge of the conclusions but refrained from providing a detailed statement.
Technical constraints and countermeasures
The attack involves knowledge of certain environmental factors, such as the TensorFlow Lite for Edge TPU. However, it does not require detailed information about the Edge TPU architecture or a set of ​instructions. This makes ​the methodology adaptable and scalable, even when the technical ​details of the accelerator remain patented.
To mitigate ​these vulnerabilities, researchers suggest integrating robust memory and hardware encryption protections into AI accelerators. Improving shielding against electromagnetic fumes and safe starting mechanisms could also limit exposure ​to lateral channel attacks. As the CEW ​is more integrated into critical applications, including stand-alone systems ​and medical ​care, addressing these vulnerabilities will be critical to building confidence in CEW technologies.
Future directions of ​research
The NC State researchers point out that this ​study is a cornerstone for further exploring model safety. By demonstrating the ​feasibility of removing hyperparameters and parameters, ​the study opens up new ways to explore similar threats on other ​physical ​platforms. The team also emphasizes the importance ​of promoting collaboration between hardware manufacturers and AI ​developers to prevent emerging threats.
As IA continues to evolve, the balance between innovation and security remains weak. The protection of intellectual property and the maintenance of competitive margins will require proactive measures ​and ongoing monitoring. For the moment, the findings of the ​NC State are an unstable reminder of the ​risks inherent in the rapid promotion of artificial intelligence technologies.
These events highlight the ​need for academic, industry and government stakeholders to prioritize security in the deployment of artificial intelligence activities, especially as application models are increasingly critical to missions. By addressing hardware vulnerabilities and applying rigorous testing protocols, the artificial intelligence community can strive to maintain the ​integrity and reliability of its innovations.