A team of computer scientists at the University of Toronto recently discovered that a certain type of hardware attack is effective against graphics processing units (GPUs), the core computing engines that power today's artificial intelligence models and cloud-based machine learning services.
The researchers found that a Rowhammer attack, previously known to affect the memory in central processing units (CPUs), is also effective against GPUs equipped with graphics double data rate (GDDR) memory. GDDR is designed for high-speed data transfer and is commonly found in graphics cards.
A successful attack on GPUs running AI models could result in "catastrophic brain damage" with model accuracy plummeting from 80 per cent to just 0.1 per cent, says Gururaj Saileshwar, an assistant professor in the department of computer science in the Faculty of Arts & Science.
Such degradation could have serious consequences for AI applications that depend on those models - from medical imaging analysis in hospitals to fraud detection systems in banks.
In a Rowhammer attack, memory cells are manipulated into flipping bits - tiny pieces of data - by rapidly accessing adjacent rows of cells over and over. This causes electrical interference that leads to errors in memory regions the attacker hasn't directly accessed, potentially allowing them to bypass security or take control of a system.
"Traditionally, security has been thought of at the software layer, but we're increasingly seeing physical effects at the hardware layer that can be leveraged as vulnerabilities," says Saileshwar, who is cross-appointed to the Edward S. Rogers Sr. department of electrical and computer engineering the Faculty of Applied Science & Engineering.
Working with second-year computer science PhD student Chris (Shaopeng) Lin and fourth-year computer science undergraduate student Joyce Qu, Saileshwar developed a proof-of-concept GPUHammer attack targeting the GDDR6 memory in an NVIDIA RTX A6000, a GPU widely used for high-performance computing. They discovered that a single bit flip to alter the exponent of an AI model's weight could cause a massive reduction in the model's accuracy.
"This introduces a new way AI models can fail at the hardware level," said Saileshwar, who co-authored a paper with Lin and Qu that has been accepted to USENIX Security Symposium 2025 , a top-tier computer security conference..
The GPU users most at risk are those managing cloud computing environments - not individual home or office users. In cloud settings, multiple users may access the same GPU simultaneously, allowing an attacker to tamper with another user's data processing.
Saileshwar notes that the researchers had to account for key differences between CPU and GPU memory. GPUs are more difficult to target due to their faster memory refresh rates, slower memory latency and other architectural differences. Ultimately, the researchers leveraged GPU parallelism - its ability to run multiple operations simultaneously - to optimize their hammering patterns. This adjustment led to the bit flips that demonstrated a successful attack.
It wasn't easy. "Hammering on GPUs is like hammering blind," Saileshwar says, noting that the team nearly gave up after repeated failures to trigger any bit flips.
On CPUs, researchers can use tools to inspect the memory interface and understand how memory accesses behave and how instructions are sent from the CPU to memory. But because GPU memory chips are soldered directly onto the GPU board, there's no easy way to perform similar inspections, Saileshwar says. The only signal the team observed was the eventual bit flips.
Earlier this year, the researchers privately disclosed their findings to GPU giant NVIDIA - now the most valuable company in the world. In July, the U.S. company issued a security notice to its customers.
NVIDIA's suggested remedy is to enable a feature called error correction code (ECC), which can repel a GPUHammer attack. However, the researchers found that the remedy slows down machine learning tasks by up to 10 per cent. They also warned that future attacks involving more bit flips might be able to overwhelm even the ECC protections.
The findings underscore the need for increased attention to GPU security - an area where Saileshwar says work is "just beginning."
"More investigation will probably reveal more issues. And that's important, because we're running incredibly valuable workloads on GPUs. AI models are being used in real-world settings like health care, finance and cybersecurity. If there are vulnerabilities that allow attackers to tamper with those models at the hardware level, we need to find them before they're exploited."
