This novel AI attack extracts models without interacting with the system.

      A side-channel attack can remotely reconstruct AI models by utilizing leaked signals.

      AI systems have traditionally been regarded as secure black boxes, particularly in fields such as facial recognition and autonomous driving. However, recent findings indicate that this presumed protection may be weaker than previously thought.

      A research team from KAIST has demonstrated that AI systems can be reverse engineered from a distance by capturing emissions that occur during normal operations, without any form of direct intrusion. Instead, this method relies on passive listening.

      Using a small antenna, the researchers detected faint electromagnetic emissions from GPUs and were able to reconstruct the system's design. While it may sound like a method from a heist movie, the findings are credible, and the security ramifications are significant.

      Understanding the side channel's operation

      The system, termed ModelSpy, gathers electromagnetic output generated by GPUs processing AI tasks. These emissions are subtle but reveal patterns associated with the architecture's arrangement.

      AI model configurations can be extracted from a distance using an antenna concealed in a bag, as noted in a paper presented by Jun Han et al. at the NDSS Symposium 2026.

      By examining these patterns, the researchers deduced essential information, including the arrangement of layers and parameter selections. Their tests showed that fundamental structures could be recognized with an accuracy of up to 97.6 percent.

      What makes this alarming is the device's setup. The antenna can fit inside a bag and does not require physical access. It successfully operated from as far as six meters away, even penetrating walls, across various GPU types. The very act of computation becomes a channel, revealing the system's design without any conventional breach.

      Implications for AI security

      This development shifts the landscape of AI security into more uncharted waters. Most protective measures have concentrated on software vulnerabilities or network access. ModelSpy, however, focuses on the physical byproducts of computational processes.

      Even isolated systems could potentially expose sensitive information if hardware emissions are not properly managed. For organizations, this architecture often constitutes critical intellectual property, transforming this issue into a direct business hazard.

      The work presents this as a challenging cyber-physical problem, indicating that AI protection now necessitates both digital defenses and considerations of the surrounding environment, thus raising the standards for what constitutes adequate protection.

      Current defense strategies

      The research team also proposed strategies for minimizing risks, such as introducing electromagnetic noise and altering computation methods to obscure patterns.

      These solutions suggest a wider shift. Safeguarding AI may require modifications at the hardware level, rather than solely relying on software updates, complicating implementation for industries already entrenched in existing systems.

      This research garnered recognition at a prominent security conference, reflecting the seriousness with which this threat is regarded. Future exposures may not stem from direct infiltration but could instead arise from passively observing what systems inadvertently disclose.