Scientists Decode Google Edge TPU AI Models Using Electromagnetic Attacks | Best free generative ai tools | | Generative ai in finance pdf | Turtles AI

Researchers at North Carolina State University have developed a novel technique to copy AI models running on Google’s Edge TPU, using electromagnetic measurements to extract important hyperparameters. The study highlights new vulnerabilities in machine learning accelerators.

Key Points:

• Breakthrough Technique: First method to fully extract hyperparameters from Google’s Edge TPU.
• Electromagnetic Emanations: Precise measurements reveal critical information about the AI ​​model during inference.
• Security Implications: Demonstrated vulnerability of commercial accelerators in real-world scenarios.
• Efficiency: Process with 99.91% accuracy and layer-by-layer precision.

A team of researchers from North Carolina State University has made a major breakthrough in studying AI model vulnerabilities by developing a technique that can completely extract the hyperparameters used by Google’s Edge TPUs. The hardware, which is widely used in Google Pixel phones and other machine learning devices, has been subjected to a sophisticated analysis based on its electromagnetic emanations. The new attack, called “TPUXtract” in the academic paper detailing it, uses a novel combination of physical observations and technical inferences to reproduce AI models that are nearly identical to the originals.

Hyperparameters, which are values ​​defined before a model is trained, such as the learning rate or batch size, are critical to the effectiveness of the model. Unlike parameters learned during training, these represent a sort of blueprint that, when combined with other extraction techniques, allows expensive models to be replicated without having to go through the costly training phase. The researchers demonstrated that such an attack, once completed, allows them to build a high-fidelity “surrogate” model, successfully reproducing key features of the original AI.

The process uses detailed electromagnetic measurements during inference, taken with specialized equipment such as Riscure’s highly sensitive EM probe and a PicoScope oscilloscope. Testing was conducted on a Coral Dev Board, a hardware platform that includes Google’s Edge TPU, which the researchers chose because it lacks memory encryption. While knowledge of the software environment (e.g., TensorFlow Lite) was helpful, the researchers stressed that they did not need information about the hardware architecture or the instruction set of the TPU itself.

The heart of the approach lies in its ability to extract hyperparameters layer-by-layer, overcoming the limitations of previous brute force attacks that were impractical and incomplete. The methodology they developed provides near-total coverage, allowing them to reproduce the model with 99.91% accuracy. The trials included popular models such as MobileNet V3, Inception V3, and ResNet-50, each with 28 to 242 layers, and averaged three hours of work per layer.

The published paper highlights that this type of attack could pose a serious threat to AI developers, who invest heavily in building advanced and innovative models. The findings also raise questions about the security of commercial hardware accelerators and their ability to protect neural networks in real-world scenarios, especially given the lack of adequate countermeasures against electromagnetic attacks.

Google, informed of the study’s findings, chose not to comment. However, the vulnerability of the Coral Dev Board, related to the lack of memory encryption, highlights the need for greater attention to security in AI hardware implementations. The researchers conclude that electromagnetic analysis is a critical area to address in order to protect AI models deployed in industrial and commercial environments.

A better understanding of these vulnerabilities may guide the development of effective mitigation strategies.