Artificial intelligence models can be surprisingly stealable—provided you somehow manage to sniff out the model’s electromagnetic signature. While repeatedly emphasizing they do not, in fact, want to help people attack neural networks, researchers at North Carolina State University described such a technique in a new paper. All they needed was an electromagnetic probe, several pre-trained, open-source AI models, and a Google Edge Tensor Processing Unit (TPU). Their method entails analyzing electromagnetic radiations while a TPU chip is actively running.
“It’s quite expensive to build and train a neural network,” said study lead author and NC State Ph.D. student Ashley Kurian in a call with Gizmodo. “It’s an intellectual property that a company owns, and it takes a significant amount of time and computing resources. For example, ChatGPT—it’s made of billions of parameters, which is kind of the secret. When someone steals it, ChatGPT is theirs. You know, they don’t have to pay for it, and they could also sell it.”
Theft is already a high-profile concern in the AI world. Yet, usually it’s the other way around, as AI developers train their models on copyrighted works without permission from their human creators. This overwhelming pattern is sparking lawsuits and even tools to help artists fight back by “poisoning” art generators.
“The electromagnetic data from the sensor essentially gives us a ‘signature’ of the AI processing behavior,” explained Kurian in a statement, calling it “the easy part.” But in order to decipher the model’s hyperparameters—its architecture and defining details—they had to compare the electromagnetic field data to data captured while other AI models ran on the same kind of chip.
In doing so, they “were able to det