Real-world Edge Neural Network Implementations Leak Private Interactions Through Physical Side Channel

TL;DR

This paper presents ScaAR, a hardware-agnostic electromagnetic side-channel attack that can extract user interactions and model outputs from neural network implementations on edge devices, revealing privacy vulnerabilities.

Contribution

It introduces a novel physical side-channel attack method, ScaAR, capable of extracting user interactions from neural networks on diverse hardware without detailed implementation knowledge.

Findings

ScaAR successfully extracts class labels from FPGA and Raspberry Pi neural classifiers.

The attack distinguishes different LLM tokens on Raspberry Pi 5 via EM emissions.

Edge device EM side channels leak user interaction data.

Abstract

Neural networks have become a fundamental component of numerous practical applications, and their implementations, which are often accelerated by hardware, are integrated into all types of real-world physical devices. User interactions with neural networks on hardware accelerators are commonly considered privacy-sensitive. Substantial efforts have been made to uncover vulnerabilities and enhance privacy protection at the level of machine learning algorithms, including membership inference attacks, differential privacy, and federated learning. However, neural networks are ultimately implemented and deployed on physical devices, and current research pays comparatively less attention to privacy protection at the implementation level. In this paper, we introduce a generic physical side-channel attack, ScaAR, that extracts user interactions with neural networks by leveraging electromagnetic (EM) emissions of physical devices. Our proposed attack is implementation-agnostic, meaning it does not require the adversary to possess detailed knowledge of the hardware or software implementations, thanks to the capabilities of deep learning-based side-channel analysis (DLSCA). Experimental results demonstrate that, through the EM side channel, ScaAR can effectively extract the class label of user interactions with neural classifiers, including inputs and outputs, on the AMD-Xilinx MPSoC ZCU104 FPGA and Raspberry Pi 3 B. In addition, for the first time, we provide side-channel analysis on edge Large Language Model (LLM) implementations on the Raspberry Pi 5, showing that EM side channel leaks interaction data, and different LLM tokens can be distinguishable from the EM traces.