This post is also available in:
עברית (Hebrew)
Researchers have discovered a previously unknown vulnerability in AI hardware that can be exploited to reveal private information about AI training data—without accessing the model’s memory or outputs.
According to TechXplore, a study from North Carolina State University identified a flaw in machine learning (ML) accelerators, which use specialized hardware used to speed up AI computations and improve energy efficiency. The vulnerability, named GATEBLEED, enables attackers to infer whether specific data was used to train a machine learning model by monitoring subtle changes in timing during execution.
Unlike traditional attacks that rely on extracting information stored in memory or analysing model outputs, this approach uses only software-level timing data to observe how AI accelerators behave when processing known vs. unknown inputs. The attack exploits a hardware-level feature called power-gating, which powers on and off different chip segments based on demand to save energy. This mechanism inadvertently creates a side channel that leaks sensitive information.
The research focused on Intel’s Advanced Matrix Extensions (AMX), first introduced in 4th Gen Intel Xeon Scalable processors. These accelerators are increasingly used in general-purpose CPUs to support AI workloads across various industries.
GATEBLEED does not require administrative access or elevated system privileges. A lightweight program running on the same server can monitor execution timing and detect training data matches, even in large-scale models. The vulnerability becomes more pronounced in deeper neural networks and cannot be mitigated using typical countermeasures like output obfuscation or power consumption monitoring.
The technique also affects Mixture of Experts (MoE) models—a growing architecture in natural language processing—by revealing which expert modules responded during inference, potentially exposing further private information.
Because the flaw lies in the hardware design, patching it is not straightforward, and it can be exploited even if you do not have physical access to the server. Hardware fixes could take years to roll out, and existing software-level workarounds risk degrading AI performance or increasing energy usage.
This finding highlights the need for new strategies to secure AI systems without sacrificing the benefits associated with AI accelerators. Addressing vulnerabilities like GATEBLEED will likely require a combination of design changes in future hardware and more robust system-level safeguards in the short term. Without such efforts, the widespread adoption of AI accelerators could introduce new risks for users and organizations alike.
