DeepFreeze: Cold Boot Attacks and High Fidelity Model Recovery on Commercial EdgeML Device

TL;DR

This paper demonstrates practical cold boot attacks on EdgeML devices like Intel NCS, recovering models with high fidelity and proposing a method to correct errors without original data, highlighting security vulnerabilities.

Contribution

The paper introduces a low-cost cold boot attack on NCS devices, achieving full architecture recovery and high-fidelity weight reconstruction, and proposes a knowledge distillation method to correct errors.

Findings

100% success in architecture recovery

0.04% error rate in weight recovery

High fidelity transfer of adversarial examples

Abstract

EdgeML accelerators like Intel Neural Compute Stick 2 (NCS) can enable efficient edge-based inference with complex pre-trained models. The models are loaded in the host (like Raspberry Pi) and then transferred to NCS for inference. In this paper, we demonstrate practical and low-cost cold boot based model recovery attacks on NCS to recover the model architecture and weights, loaded from the Raspberry Pi. The architecture is recovered with 100% success and weights with an error rate of 0.04%. The recovered model reports maximum accuracy loss of 0.5% as compared to original model and allows high fidelity transfer of adversarial examples. We further extend our study to other cold boot attack setups reported in the literature with higher error rates leading to accuracy loss as high as 70%. We then propose a methodology based on knowledge distillation to correct the erroneous weights in recovered model, even without access to original training data. The proposed attack remains unaffected by the model encryption features of the OpenVINO and NCS framework.