A new vulnerability affecting Apple, AMD, and Qualcomm GPUs could expose AI data

What just happened? A new vulnerability in GPUs from major vendors like Apple, AMD, Qualcomm, and Imagination Technologies reportedly allows attackers to steal sensitive data. The bug, named LeftoverLocals, was discovered by Tyler Sorensen, a cybersecurity researcher at Trail of Bits and an assistant professor in the Department of Computer Science and Engineering (CSE) at the University of California, Santa Cruz (UCSC).

Tracked as CVE-2023-4969, the vulnerability allows attackers to recover data from GPU local memory. While it affects all GPU applications, it is especially dangerous for large language models (LLMs) and machine learning (ML) workloads that often process copious amounts of potentially sensitive data. By recovering local memory, the researchers claim they were “able to build a PoC where an attacker can listen into another user’s interactive LLM session (e.g., llama.cpp) across process or container boundaries.”

LeftoverLocals can leak significant amounts of data, ranging from 5 MB to 180 MB. As an example, AMD’s Radeon RX 7900 XT is said to leak around 5.5 MB per GPU invocation, which could amount to around 181 MB for each LLM query when running a 7B model on llama.cpp. The researchers believe that this is “enough information to reconstruct the LLM response with high precision.”

LeftoverLocals is a dangerous new flaw that shows security experts are yet to rigorously review many parts of the ML development stack, which still harbor unknown security risks that could pose major problems in the future.

The researchers contacted all the companies whose products are affected by the vulnerability and got different responses from each of them. Apple claimed to have patched devices powered by the A17 and M3 series of processors, but the issue still reportedly persists in older devices like the M2 MacBook Air. The iPhone 15, however, is seemingly free from the vulnerability.

AMD confirmed that its processors are affected by the issue, and said that it is working on potential mitigation plans. As for Qualcomm, the company rolled out a patch to firmware v2.07, addressing LeftoverLocals for some devices. It is, however, likely that other devices powered by the company’s chips are still impacted. Imagination also released a fix for LeftoverLocals in its latest DDK release, 23.3, in December 2023.