Researchers from NC State University have identified the first hardware vulnerability that allows attackers to compromise the data privacy of artificial intelligence (AI) users by exploiting the physical hardware on which AI is run.
"What we've discovered is an AI privacy attack," says Joshua Kalyanapu, first author of a paper on the work and a Ph.D. student at North Carolina State University. "Security attacks refer to stealing things actually stored somewhere in a system's memory - such as stealing an AI model itself or stealing the hyperparameters of the model. That's not what we found. Privacy attacks steal stuff not actually stored on the system, such as the data used to train the model and attributes of the data input to the model. These facts are leaked through the behavior of the AI model. What we found is the first vulnerability that allows successfully attacking AI privacy via hardware."
The vulnerability is associated with "machine learning (ML) accelerators," hardware components on computer chips that increase the performance of machine-learning models in AI systems while reducing the models' power requirements. Machine learning refers to a subset of AI models that use algorithms to identify patterns in training data, then use those patterns to draw conclusions from new data.
Specifically, the vulnerability allows an attacker with access to a server that uses the ML accelerator to determine what data was used to train AI systems running on that server and leak other private information. The vulnerability - named GATEBLEED - works by monitoring the timing of software-level functions taking place on hardware, bypassing state-of-the-art malware detectors. The finding raises security concerns for AI users and liability concerns for AI companies.
"The goal of ML accelerators is to reduce the total cost of ownership by reducing the cost of machines that can train and run AI systems," says Samira Mirbagher Ajorpaz, corresponding author of the paper and an assistant professor of electrical and computer engineering at NC State.
"These AI accelerators are being incorporated into general-purpose CPUs used in a wide variety of computers," says Mirbagher Ajorpaz. "The idea is that these next-generation chips would be able to switch back and forth between running AI applications with on-core AI accelerators and executing general-purpose workloads on CPUs. Since this technology looks like it will be in widespread use, we wanted to investigate whether AI accelerators can create novel security vulnerabilities."
For this study, the researchers focused on Intel's Advanced Matrix Extensions, or AMX, which is an AI accelerator that was first incorporated into the 4th Generation Intel Xeon Scalable CPU.
"We found a vulnerability that effectively exploits the exact behaviors that make AI accelerators effective at speeding up the execution of AI functions while reducing energy use," says Kalyanapu.
"Chips are designed in such a way that they power up different segments of the chip depending on their usage and demand to conserve energy," says Darsh Asher, co-author of the paper and a Ph.D. student at NC State. "This phenomenon is known as power gating and is the root cause of this attack. Almost every major company implements power gating in different parts of their CPUs to gain a competitive advantage."
"The processor powers different parts of on-chip accelerators depending on usage and demand; AI algorithms and accelerators may take shortcuts when they encounter data sets on which they were trained," says Farshad Dizani, co-author of the paper and a Ph.D. student at NC State. "Powering up different parts of accelerators creates an observable timing channel for attackers. In other words, the behavior of the AI accelerator fluctuates in an identifiable way when it encounters data the AI was trained on versus data it was not trained on. These differences in timing create a novel privacy leakage for attackers who have not been granted direct access to privileged information."
"So if you plug data into a server that uses an AI accelerator to run an AI system, we can tell whether the system was trained on that data by observing fluctuations in the AI accelerator usage," says Azam Ghanbari, an author of the paper and a Ph.D. student at NC State. "And we found a way to monitor accelerator usage using a custom program that requires no permissions."
"In addition, this attack becomes more effective when the networks are deep," says Asher. "The deeper the network is, the more vulnerable it becomes to this attack."
"And traditional approaches to defend against attacks don't appear to work as well against this vulnerability, because other attacks rely on outputs from the model or reading power consumption," says Mirbagher Ajorpaz. "GATEBLEED does neither.
"Rather, GATEBLEED is the first vulnerability to exploit hardware to leak user data privacy by leveraging the interaction between AI execution and accelerator power-gating states," Mirbagher Ajorpaz says. "Unlike software vulnerabilities, hardware flaws cannot simply be patched with an update. Effective mitigation requires hardware redesign, which takes years to propagate into new CPUs. In the meantime, microcode updates or operating system (OS)-level defenses impose heavy performance slowdowns or increased power consumption, both of which are unacceptable in production AI deployments.
"Moreover, because hardware sits beneath the OS, hypervisor, and application stack, a hardware attack like GATEBLEED can undermine all higher-level privacy guarantees - regardless of encryption, sandboxing, or privilege separation," Mirbagher Ajorpaz says. "Hardware vulnerabilities thus open a fundamentally new channel for AI user data privacy leakage and it bypasses all existing defenses designed for AI inference attacks."
The ability to identify the data an AI system was trained on raises a number of concerns for both AI users and AI companies.
"For one thing, if you know what data an AI system was trained on, this opens the door to a range of adversarial attacks and other security concerns," Mirbagher Ajorpaz says. "In addition, this could also create liability for companies if the vulnerability is used to demonstrate that a company trained its systems on data it did not have the right to use."
The vulnerability can also be used to give attackers additional information about how an AI system was trained.
"Mixtures of Experts (MoEs), where AI systems draw on multiple networks called 'experts,' are becoming the next AI architecture - especially with new natural language processing models," Mirbagher Ajorpaz says. "The fact that GATEBLEED reveals which experts responded to the user query means that this vulnerability leaks sensitive private information. GATEBLEED shows for the first time that MoE execution can leave a footprint in hardware that can be extracted. We found a dozen such vulnerabilities on the deployed and popular AI codes and modern AI agent designs across popular machine-learning libraries used by a variety of AI systems (HuggingFace, PyTorch, TensorFlow, etc.). This raises concerns regarding the extent to which hardware design decisions can affect our everyday privacy, particularly with more and more AI applications and AI agents being deployed.
"The work in this paper is a proof-of-concept finding, demonstrating that this sort of vulnerability is real and can be exploited even if you do not have physical access to the server," Mirbagher Ajorpaz says. "And our findings suggest that, now that we know what to look for, it would be possible to find many similar vulnerabilities. The next step is to identify solutions that will help us address these vulnerabilities without sacrificing the benefits associated with AI accelerators."
The paper, "GATEBLEED: A Timing-Only Membership Inference Attack, MoE-Routing Inference, and a Stealthy, Generic Magnifier Via Hardware Power Gating in AI Accelerators," will be presented at the IEEE/ACM International Symposium on Microarchitecture (MICRO 2025), being held Oct. 18-22 in Seoul, South Korea. The paper was co-authored by Darsh Asher, Farshad Dizani, and Azam Ghanbari, all of whom are Ph.D. students at NC State; Aydin Aysu, an associate professor of electrical and computer engineering at NC State; and by Rosario Cammarota of Intel.
This work was done with support from Semiconductor Research Corporation, under contract #2025-HW-3306, and from Intel Labs.
