A Flaw in Millions of Apple, AMD, and Qualcomm GPUs Could Expose AI Data

As extra firms ramp up improvement of synthetic intelligence techniques, they’re more and more turning to graphics processing unit (GPU) chips for the computing energy they should run giant language fashions (LLMs) and to crunch knowledge rapidly at huge scale. Between online game processing and AI, demand for GPUs has by no means been larger, and chipmakers are dashing to bolster provide. In new findings launched at present, although, researchers are highlighting a vulnerability in a number of manufacturers and fashions of mainstream GPUs—together with Apple, Qualcomm, and AMD chips—that would enable an attacker to steal giant portions of information from a GPU’s reminiscence.

The silicon business has spent years refining the safety of central processing models, or CPUs, so that they don’t leak knowledge in reminiscence even when they’re constructed to optimize for pace. However, since GPUs had been designed for uncooked graphics processing energy, they haven’t been architected to the identical diploma with knowledge privateness as a precedence. As generative AI and different machine studying purposes develop the makes use of of those chips, although, researchers from New York–primarily based safety agency Trail of Bits say that vulnerabilities in GPUs are an more and more pressing concern.

“There is a broader security concern about these GPUs not being as secure as they should be and leaking a significant amount of data,” Heidy Khlaaf, Trail of Bits’ engineering director for AI and machine studying assurance, tells WIRED. “We’re looking at anywhere from 5 megabytes to 180 megabytes. In the CPU world, even a bit is too much to reveal.”

To exploit the vulnerability, which the researchers name LeftoverLocals, attackers would want to have already got established some quantity of working system entry on a goal’s gadget. Modern computer systems and servers are particularly designed to silo knowledge so a number of customers can share the identical processing assets with out with the ability to entry every others’ knowledge. But a LeftoverLocals assault breaks down these partitions. Exploiting the vulnerability would enable a hacker to exfiltrate knowledge they shouldn’t have the ability to entry from the native reminiscence of susceptible GPUs, exposing no matter knowledge occurs to be there for the taking, which might embrace queries and responses generated by LLMs in addition to the weights driving the response.

In their proof of idea, as seen within the GIF under, the researchers display an assault the place a goal—proven on the left—asks the open supply LLM Llama.cpp to supply particulars about WIRED journal. Within seconds, the attacker’s gadget—proven on the suitable—collects the vast majority of the response offered by the LLM by finishing up a LeftoverLocals assault on susceptible GPU reminiscence. The assault program the researchers created makes use of lower than 10 traces of code.

An attacker (proper) exploits the LeftoverLocals vulnerability to take heed to LLM conversationsVideo: Trail of Bits

Last summer time, the researchers examined 11 chips from seven GPU makers and a number of corresponding programming frameworks. They discovered the LeftoverLocals vulnerability in GPUs from Apple, AMD, and Qualcomm, and launched a far-reaching coordinated disclosure of the vulnerability in September in collaboration with the US-CERT Coordination Center and the Khronos Group, a requirements physique targeted on 3D graphics, machine studying, and digital and augmented actuality.

The researchers didn’t discover proof that Nvidia, Intel, or Arm GPUs include the LeftoverLocals vulnerability, however Apple, Qualcomm, and AMD all confirmed to WIRED that they’re impacted. This signifies that well-known chips just like the AMD Radeon RX 7900 XT and gadgets like Apple’s iPhone 12 Pro and M2 MacBook Air are susceptible. The researchers didn’t discover the flaw within the Imagination GPUs they examined, however others could also be susceptible.

An Apple spokesperson acknowledged LeftoverLocals and famous that the corporate shipped fixes with its newest M3 and A17 processors, which it unveiled on the finish of 2023. This signifies that the vulnerability is seemingly nonetheless current in thousands and thousands of current iPhones, iPads, and MacBooks that depend upon earlier generations of Apple silicon. On January 10, the Trail of Bits researchers retested the vulnerability on a variety of Apple gadgets. They discovered that Apple’s M2 MacBook Air was nonetheless susceptible, however the iPad Air third era A12 appeared to have been patched.