LeftoverLocals: The New Vulnerability in Apple, Qualcomm, and AMD GPUs

The development of artificial intelligence systems is gaining momentum. An increasing number of companies are turning to Graphics Processing Units (GPUs) for the essential computational power needed to operate large language models and swiftly process vast data arrays. Demand for GPUs has never been higher, and chip manufacturers are actively expanding their offerings.

However, a recent study by experts draws attention to vulnerabilities in several models and brands, particularly in chips by Apple, Qualcomm, and AMD. This issue could allow a malefactor to pilfer significant volumes of data from the processor’s memory.

Manufacturers have long enhanced the security of central processors to prevent the leakage of confidential data from memory. GPUs, on the other hand, were developed with a priority on graphical performance, not information security. As the use of graphics processors in generative AI and machine learning expands, experts at Trail of Bits warn of growing threats that require resolution.

“GPUs were initially developed to accelerate graphics computations. In this domain, performance is critical, and previously uncovered security issues have generally not had any significant consequences on applications,” comments Heidy Khlaaf, Director of Artificial Intelligence and Machine Learning Security at Trail of Bits.

To exploit the defect, dubbed LeftoverLocals, malefactors must already have a certain level of access to the operating system of the targeted device.

Modern computers and servers are specifically designed to isolate data from different users utilizing the same computational resources. However, the LeftoverLocals attack dismantles these barriers. By exploiting the vulnerability, hackers can access any information, typically unreachable under normal circumstances, from the local memory of vulnerable GPUs. This could include queries and responses of language models, as well as their governing weight coefficients.

Last summer, researchers tested 11 chips from 7 manufacturers and several corresponding software frameworks. They discovered LeftoverLocals in processors from Apple, AMD, and Qualcomm. In September, extensive dissemination of information about the vulnerability began in collaboration with the CERT Center and the Khronos Group.

No problems were found in processors from Nvidia, Intel, or Arm. However, representatives from Apple, Qualcomm, and AMD confirmed that their products are susceptible to this defect. This means that widely known chips such as AMD Radeon RX 7900 XT, as well as devices like the iPhone 12 Pro and MacBook Air M2 from Apple, fall into the risk group.

An Apple representative noted that the company has released fixes in its latest processors, M3 and A17, introduced at the end of 2023. Consequently, the defect remains present in millions of iPhones, iPads, and MacBooks of previous generations using older chips.

On January 10th, specialists at Trail of Bits retested a range of Apple devices. They confirmed that the MacBook Air M2 remains vulnerable, while in the 3rd generation iPad Air A12, it appears that corrections have been made.

As reported by Qualcomm, the company is currently working on security updates and recommends users install patches from manufacturers as they become available. According to Trail of Bits, Qualcomm has already released the necessary firmware.

On January 10th, AMD published a cybersecurity bulletin detailing the company’s plans to eliminate LeftoverLocals. Fixes will be introduced in March.

Google specialists also state that they are aware of the issue affecting GPUs from AMD, Apple, and Qualcomm. The company has already released updates for ChromeOS devices with vulnerable AMD and Qualcomm graphics processors.