Researchers at North Carolina State University have discovered a hardware vulnerability that allows attackers to compromise the privacy of artificial intelligence (AI) users by exploiting the physical hardware used to run AI systems.
“What we’ve discovered is an AI privacy attack,” said Joshua Kalyanapu, first author of the study and a Ph.D. student at NC State. “Security attacks refer to stealing things actually stored somewhere in a system’s memory – such as stealing an AI model itself or stealing the hyperparameters of the model. That’s not what we found. Privacy attacks steal stuff not actually stored on the system, such as the data used to train the model and attributes of the data input to the model. These facts are leaked through the behavior of the AI model. What we found is the first vulnerability that allows successfully attacking AI privacy via hardware.”
The vulnerability targets machine learning (ML) accelerators, which are components on computer chips designed to boost performance and reduce power use for machine-learning models in AI systems. The researchers focused on Intel’s Advanced Matrix Extensions (AMX), an accelerator introduced with Intel’s 4th Generation Xeon Scalable CPUs.
Specifically, this vulnerability—named GATEBLEED—enables attackers with access to servers using ML accelerators to determine what data was used to train AI systems running on those servers and potentially leak other private information. GATEBLEED works by monitoring timing differences in software functions at the hardware level, bypassing current malware detectors.
“The goal of ML accelerators is to reduce the total cost of ownership by reducing the cost of machines that can train and run AI systems,” said Samira Mirbagher Ajorpaz, corresponding author and assistant professor of electrical and computer engineering at NC State.
“These AI accelerators are being incorporated into general-purpose CPUs used in a wide variety of computers,” Mirbagher Ajorpaz added. “The idea is that these next-generation chips would be able to switch back and forth between running AI applications with on-core AI accelerators and executing general-purpose workloads on CPUs. Since this technology looks like it will be in widespread use, we wanted to investigate whether AI accelerators can create novel security vulnerabilities.”
The research identified that power gating—a method where different chip segments are powered up based on usage—creates observable timing channels for attackers. This means that when an accelerator encounters familiar training data, its behavior changes in detectable ways.
“Chips are designed in such a way that they power up different segments of the chip depending on their usage and demand to conserve energy,” explained Darsh Asher, co-author and Ph.D. student at NC State. “This phenomenon is known as power gating and is the root cause of this attack. Almost every major company implements power gating in different parts of their CPUs to gain a competitive advantage.”
Farshad Dizani, another co-author from NC State, noted: “Powering up different parts of accelerators creates an observable timing channel for attackers. In other words, the behavior of the AI accelerator fluctuates in an identifiable way when it encounters data the AI was trained on versus data it was not trained on. These differences in timing create a novel privacy leakage for attackers who have not been granted direct access to privileged information.”
Azam Ghanbari, also part of NC State’s team, said: “So if you plug data into a server that uses an AI accelerator to run an AI system, we can tell whether the system was trained on that data by observing fluctuations in the AI accelerator usage… And we found a way to monitor accelerator usage using a custom program that requires no permissions.”
Asher added: “In addition, this attack becomes more effective when the networks are deep… The deeper the network is, the more vulnerable it becomes to this attack.”
Mirbagher Ajorpaz pointed out: “And traditional approaches to defend against attacks don’t appear to work as well against this vulnerability, because other attacks rely on outputs from the model or reading power consumption… GATEBLEED does neither.
Rather, GATEBLEED is the first vulnerability to exploit hardware to leak user data privacy by leveraging the interaction between AI execution and accelerator power-gating states… Unlike software vulnerabilities, hardware flaws cannot simply be patched with an update. Effective mitigation requires hardware redesign, which takes years to propagate into new CPUs. In the meantime, microcode updates or operating system (OS)-level defenses impose heavy performance slowdowns or increased power consumption, both of which are unacceptable in production AI deployments.
Moreover, because hardware sits beneath the OS, hypervisor, and application stack, a hardware attack like GATEBLEED can undermine all higher-level privacy guarantees – regardless of encryption, sandboxing or privilege separation… Hardware vulnerabilities thus open a fundamentally new channel for AI user data privacy leakage and it bypasses all existing defenses designed for AI inference attacks.”
This ability raises concerns for both users and companies developing or deploying artificial intelligence systems.
“For one thing,” Mirbagher Ajorpaz continued,“if you know what data an AI system was trained on,this opens doorsto arangeof adversarialattacksandothersecurityconcerns.Inaddition,thiscouldalsocreateliabilityforcompaniesifthevulnerabilityisusedtodemonstrate thata companytraineditssystemsondataitdidnot havetherighttouse.”
GATEBLEED may also reveal how advanced architectures like Mixtures-of-Experts (MoEs) operate internally.“MixturesofExperts(MoEs),whereAIsystemsdrawonmultiplenetworkscalled‘experts,’arebecomingthenextAIarchitecture–especiallywithnewnaturallanguageprocessingmodels.ThefactthatGATEBLEEDrevealswhichexpertsrespondedtotheuserquerymeansthatthisvulnerabilityleakssensitiveprivateinformation.GATEBLEEDshowsforthefirsttimethatMoEexecutioncanleaveafootprintinhardwarethatcanbeextracted.WefoundadozensuchvulnerabilitiesonthedeployedandpopularAIcodesandmodernAIagentdesignsacrosspopularmachine-learninglibrariesusedbyavarietyofAIsystems(HuggingFace,
PyTorch,
TensorFlow,
etc.).
Thisraisesconcernsregardingtheextenttowhichhardwaredesigndecisionscanaffectoureverydayprivacy,
particularlywithmoreandmoreAIapplicationsandAIagentsbeingdeployed.”
Mirbagher Ajorpaz described their findings as proof-of-concept:“Theworkinthispaperisaproof-of-conceptfinding,
demonstratingthatthissortofvulnerabilityisrealandcanbeexploitedevenifyoudonothavephysicalaccesstotheserver.Andourfindingssuggestthat,
nowthatweknowwhattolookfor,
itwouldbepossibletodetectmanysimilarvulnerabilities.ThenextstepistoidentifysolutionsthatwillhelpusaddressthesevulnerabilitieswithoutsacrificingthebenefitsassociatedwithAIaccelerators.”
The research paper titled “GATEBLEED: A Timing-Only Membership Inference Attack,Moe-Routing Inference,and a Stealthy,
Generic Magnifier Via Hardware Power Gating in
AI Accelerators” will be presented at MICRO 2025 from October 18-22 in Seoul,
South Korea.
Co-authors include Darsh Asher,Farsad Dizani,and Azam Ghanbari (all Ph.D.students at NC State),
Aydin Aysu(associate professor at NC State),
and Rosario Cammarota(Intel).
The work received support from Semiconductor Research Corporation(contract #2025-HW-3306)
and Intel Labs.
