UnMarker: A Universal Attack on Defensive Image Watermarking

TL;DR

UnMarker is a novel universal attack that effectively disrupts various defensive image watermarking schemes, including semantic watermarks, without requiring detector feedback or advanced knowledge, thus challenging their viability for deepfake detection.

Contribution

We introduce UnMarker, the first practical universal attack on defensive watermarking that works without detector feedback or detailed scheme knowledge, significantly weakening watermark-based defenses.

Findings

UnMarker defeats state-of-the-art watermarking schemes.

It reduces semantic watermark detection to 43%.

It maintains high image quality while erasing watermarks.

Abstract

Reports regarding the misuse of Generative AI (GenAI) to create deepfakes are frequent. Defensive watermarking enables GenAI providers to hide fingerprints in their images and use them later for deepfake detection. Yet, its potential has not been fully explored. We present UnMarker -- the first practical universal attack on defensive watermarking. Unlike existing attacks, UnMarker requires no detector feedback, no unrealistic knowledge of the watermarking scheme or similar models, and no advanced denoising pipelines that may not be available. Instead, being the product of an in-depth analysis of the watermarking paradigm revealing that robust schemes must construct their watermarks in the spectral amplitudes, UnMarker employs two novel adversarial optimizations to disrupt the spectra of watermarked images, erasing the watermarks. Evaluations against SOTA schemes prove UnMarker's effectiveness. It not only defeats traditional schemes while retaining superior quality compared to existing attacks but also breaks semantic watermarks that alter an image's structure, reducing the best detection rate to $43\%$ and rendering them useless. To our knowledge, UnMarker is the first practical attack on semantic watermarks, which have been deemed the future of defensive watermarking. Our findings show that defensive watermarking is not a viable defense against deepfakes, and we urge the community to explore alternatives.