AI Data Exposed to ‘LeftoverLocals’ Attack via Vulnerable AMD, Apple, Qualcomm GPUs
Researchers have demonstrated how a new attack method leveraging a vulnerability in graphics processing units (GPUs) could be exploited to obtain potentially sensitive information from AI and other types of applications.
The vulnerability, dubbed LeftoverLocals and officially tracked as CVE-2023-4969, was discovered by researchers at cybersecurity firm Trail of Bits. The company on Tuesday published a blog post detailing its findings, and an advisory was released the same day by the CERT Coordination Center.
Tests conducted by Trail of Bits showed that Apple, AMD and Qualcomm GPUs are affected. In addition, the company learned that some GPUs from Imagination Technologies are impacted as well. Products from Arm, Intel, and Nvidia do not appear to be affected.
Qualcomm and Apple have started releasing patches and AMD has published an advisory informing customers that it plans on releasing mitigations in March 2024, but noted that they will not be enabled by default.
The LeftoverLocals vulnerability exists because some GPUs fail to properly isolate process memory. This could allow a local attacker to obtain sensitive information from a targeted application. For instance, a malicious app installed on the targeted device may be able to exploit the vulnerability to read GPU memory associated with another application, which could contain valuable data.
GPUs were originally developed for graphics acceleration, but they are now used for a wider range of applications, including artificial intelligence.
“The attacker only requires the ability to run GPU compute applications, e.g., through OpenCL, Vulkan, or Metal. These frameworks are well-supported and typically do not require escalated privileges. Using these, the attacker can read data that the victim has left in the GPU local memory simply by writing a GPU kernel that dumps uninitialized local memory. These attack programs, as our code demonstrates, can be less than 10 lines of code,” Trail of Bits said, noting that launching such an attack is not difficult.
The company’s researchers demonstrated how an attacker could use LeftoverLocals to create covert channels on iPhones, iPads and Android devices, and they also developed a proof-of-concept that shows how an attacker could listen in on the victim’s conversation with an LLM application, specifically an AI chatbot.
They showed how an attacker could leverage leaked GPU memory to stealthily obtain the responses given by the chatbot to the user.
“An attack program must be co-resident on the same machine and must be ‘listening’ at the same time that the victim is running a sensitive application on the GPU. This could occur in many scenarios: for example, if the attack program is co-resident with the victim on a shared cloud computer with a GPU,” Trail of Bits said. “On a mobile device, the attack could be implemented in an app or a library. Listening can be implemented efficiently, and thus can be done repeatedly and constantly with almost no obvious performance degradation.”
