A team of computer scientists at North Carolina State University has unveiled a groundbreaking method to replicate artificial intelligence (AI) models running on Google’s Edge Tensor Processing Units (TPUs). These TPUs, commonly found in Google Pixel devices and third-party machine learning accelerators, may now pose significant security concerns for developers and companies relying on their robustness.

The researchers, including Ashley Kurian, Anuj Dubey, Ferhat Yaman, and Aydin Aysu, devised a sophisticated side-channel attack that analyzes electromagnetic (EM) signals emitted during AI model inference. By studying these signals, they successfully extracted hyperparameters of neural networks running on TPUs. The details of their work are published in the paper titled *”TPUXtract: An Exhaustive Hyperparameter Extraction Framework.”

The Bigger Picture

This research represents the first comprehensive hyperparameter extraction targeting Google’s Edge TPU. Unlike earlier limited hyperparameter attacks, this approach not only achieves high accuracy but also efficiently rebuilds the functionality of original AI models.

The researchers conducted their experiments on the Coral Dev Board, a device equipped with a Google Edge TPU that lacks memory encryption. They emphasized that attackers require physical access to the device and familiarity with its software environment, such as TensorFlow Lite for Edge TPU. However, detailed knowledge of the TPU’s architecture or instruction set is unnecessary.

How the Attack Works

In machine learning, hyperparameters control the model’s training process, influencing aspects like learning rate, batch size, and pool size. These are distinct from model parameters, which are internal values such as weights that the model learns during training. By obtaining both sets of data, attackers can recreate proprietary AI models at a fraction of the original cost. This development raises serious concerns for organizations investing billions in AI innovation.

The attack proceeds as follows:

1. Capturing EM Emissions: Using specialized equipment, including Riscure icWaves Transceiver, High Sensitivity EM probes, and PicoScope Oscilloscopes, the team captured electromagnetic signals generated during inference.
2. Analyzing Layer Information: Extracted data was processed through a custom framework to sequentially uncover the hyperparameters of each neural network layer. This method bypasses brute-force techniques, which are often slow and yield incomplete results.
3. Reconstructing the Model: With the architecture and layer details in hand, the researchers successfully recreated functional surrogates of the original AI models. The accuracy achieved was as high as 99.91%. Tested models included MobileNet V3, Inception V3, and ResNet-50, ranging from 28 to 242 layers.

Efficiency and Testing

The process was tested on several complex models, with each layer’s hyperparameters extracted in about three hours. This efficiency makes the method practical for high-stakes scenarios. The results demonstrate that even in black-box settings—where the internal workings of the model are hidden—adversaries can reverse-engineer hyperparameters by observing electromagnetic emanations.

Implications for AI Security

The NC State team’s findings highlight a growing threat to AI security. With AI accelerators becoming increasingly common in consumer and enterprise environments, the potential for model-stealing attacks raises critical questions about existing security protocols.

Industry Response

Google has been briefed on these findings but has opted not to comment publicly. Experts suggest that the lack of memory encryption on devices like the Coral Dev Board plays a key role in enabling such attacks. Enhanced security measures, such as EM shielding and memory encryption, may be necessary in future hardware iterations to mitigate these vulnerabilities.

Recommendations for Mitigation

To counteract such threats, researchers and industry experts recommend the following measures:

• Memory Encryption: Encrypting data in memory to prevent unauthorized access.
• EM Shielding: Reducing electromagnetic emissions to make side-channel attacks more difficult.
• Obfuscation Techniques: Complicating model structures to discourage reconstruction attempts.

As AI technologies continue to advance, safeguarding these systems will become more urgent. The work by Kurian, Dubey, Yaman, and Aysu sheds light on an emerging challenge in AI cybersecurity, calling for proactive solutions to protect proprietary technologies from exploitation.