A brand new AI assault vector often known as OneFlip permits malicious actors to achieve management of delicate AI methods. Whereas the strategy has but to be seen within the wild, researchers who found the vulnerability recommend that OneFlip may very well be used to hijack sensible automobiles, shut down biometric ID authenticators, intrude with medical gadgets, and extra.
The analysis paper, written by a crew at George Mason College and offered on the thirty fourth USENIX Safety Symposium in August, reads, partially: “Whereas typical backdoor assaults on deep neural networks (DNNs) assume the attacker can manipulate the coaching knowledge or course of, current analysis introduces a extra sensible risk mannequin by injecting backdoors through the inference stage.”
1
Graylog
Workers per Firm Dimension
Micro (0-49), Small (50-249), Medium (250-999), Massive (1,000-4,999), Enterprise (5,000+)
Medium (250-999 Workers), Massive (1,000-4,999 Workers), Enterprise (5,000+ Workers)
Medium, Massive, Enterprise
Options
Exercise Monitoring, Dashboard, Notifications
2
ManageEngine Desktop Central
Workers per Firm Dimension
Micro (0-49), Small (50-249), Medium (250-999), Massive (1,000-4,999), Enterprise (5,000+)
Any Firm Dimension
Any Firm Dimension
Options
Exercise Monitoring, Antivirus, Dashboard, and extra
How the OneFlip assault works
The OneFlip assault is difficult to execute. Whereas the analysis crew’s report is extra theoretical than sensible, it highlights a big flaw in the way in which fashionable AI fashions deal with weights.
AI fashions at the moment use weights, represented as 32-bit phrases, to encode information and make related connections between consumer inputs and the AI outputs. Some AI fashions leverage billions of bits through the reasoning course of. Whereas this accounts for a lot of the latency seen when interacting with fashionable AI fashions, it additionally supplies a classy assault vector for essentially the most crafty cyberattackers.
By utilizing a Rowhammer exploit to make the most of recognized vulnerabilities in a system’s dynamic random entry reminiscence (DRAM), an attacker could cause unintended bit flips, thus turning a one right into a zero or vice versa. This enables the attacker to switch the weights of the AI’s inner reasoning processes, successfully giving them full management of the AI system, its priorities, and its actions.
The attacker will need to have direct entry to the AI mannequin they’re focusing on to efficiently execute the OneFlip assault. Furthermore, their assault should be launched from the identical bodily machine that hosts the meant goal.
OneFlip might change into simpler to execute with time
Not solely are fashionable AI fashions extremely secured, however most would-be attackers won’t ever have bodily entry to the servers that host them. However one of many report’s authors, Qiang Zeng, insists that such an assault is feasible for somebody with average assets and a excessive degree of technical information. A state-sponsored attacker with direct funding from a small nation or nation, for instance, can be higher positioned to execute a OneFlip assault than the typical cybercriminal.
Regardless, the USENIX report concludes: “whereas the theoretical dangers are non-negligible, the sensible threat stays low.”
Though the assault is troublesome to execute, the analysis crew has already launched code that automates your complete course of, even figuring out which bits to flip.
Researchers are fast to level out that future analysis might make the OneFlip assault, and others prefer it, simpler to execute within the coming weeks, months, and years.
With the rise of AI, cyber threats are rising extra advanced. At Black Hat 2025, Microsoft revealed how its safety groups work in actual time to outpace hackers and cease assaults earlier than they escalate.
