A recent discovery by Trail of Bits researchers has identified a critical flaw in GPUs from tech firms Apple, AMD, and Qualcomm.
This vulnerability, capable of leaking substantial data amounts, raises alarms about the security of widely used graphic processing units integral to AI development and gaming.
Also read: OpenAI “Worried” About AI Risks, Creates Team to Tame its Perils
Understanding the flaw: LeftoverLocals
The vulnerability, named LeftoverLocals, is a significant concern for the industry, which was previously focused on CPU security. GPUs, primarily designed for high graphics processing, now face scrutiny over data privacy, especially as they become pivotal in AI and machine learning applications. Trail of Bits, a New York-based security firm, reveals that this flaw could lead to data leakage ranging from 5 to 181 megabytes, a concerning figure in contrast to the stringent data protection in CPUs.
“LeftoverLocals can leak ~5.5 MB per GPU invocation on an AMD Radeon RX 7900 XT, which, when running a 7B model on llama.cpp, adds up to ~181 MB for each LLM query.”
For attackers to leverage LeftoverLocals, they must first gain operating system access on the target device. Modern computing devices are designed to compartmentalize data to prevent such breaches. However, this attack breaks down these protective walls, enabling hackers to extract data from the GPU’s local memory. This data could include sensitive information processed by large language models (LLMs), posing a significant risk to user privacy and data security.
The vulnerability affects popular chips and devices, including Apple’s iPhone 12 Pro and M2 MacBook Air, as well as AMD’s Radeon RX 7900 XT. Notably, the flaw is absent in Nvidia, Intel, and Arm GPUs, as per the researchers’ findings. This situation risks millions of devices using the affected Apple, Qualcomm, and AMD chips.
Responses from industry firms
Apple confirmed the presence of LeftoverLocals, indicating that fixes were implemented in its latest M3 and A17 processors, which were revealed at the end of 2023. Nonetheless, many devices, such as the M2 MacBook Air, remain vulnerable. Apple’s efforts to patch these vulnerabilities in older models are underway, but the widespread nature of their devices means that millions are still at risk.
“We re-tested the vulnerability on January 10, and it appears that some devices have been patched, i.e., the Apple iPad Air 3rd G (A12).”
In the same vein, Qualcomm has begun releasing firmware patches to address the vulnerability and is urging end-users to apply these security updates promptly. Similarly, AMD has issued a security advisory and plans to release optional mitigations in March. These steps signify the industry’s recognition of the issue’s severity and focus on user security.
“AMD expects to start rolling out mitigation options beginning in March 2024 through upcoming driver updates.”
Google has also acknowledged the vulnerability’s impact on devices with AMD and Qualcomm GPUs, releasing fixes for ChromeOS devices. This proactive approach underscores the tech industry’s broader challenge of ensuring end-to-end security in an increasingly interconnected and hardware-diverse ecosystem.
A complex challenge in tech security
The distribution of these security fixes is a complex process. According to Trail of Bits, GPU manufacturers need to develop patches, which then must be integrated by device makers into their systems and finally relayed to end-users. This multi-layered approach to security patch distribution involves coordination across various players in the global tech ecosystem, presenting logistical challenges.
The potential implications of the LeftoverLocals vulnerability are substantial, given the common practice among hackers to chain multiple vulnerabilities for attacks. Furthermore, initial access to a device, a prerequisite for this attack, is a standard requirement for many digital attacks, underscoring the seriousness of this security lapse.
In light of these revelations, one pivotal question emerges: How will the industry evolve its security protocols to address the unique challenges posed by GPU vulnerabilities significantly as the use of these chips expands beyond traditional graphics processing into the realm of AI and large-scale data processing?