Hammering the Diagnosis: Rowhammer-Induced Stealthy Trojan Attacks on ViT-Based Medical Imaging

TL;DR

This paper reveals a new hardware-software attack on ViT-based medical imaging systems, where Rowhammer-induced bit flips trigger neural Trojans, causing misdiagnoses with high success rates, highlighting security vulnerabilities in healthcare AI.

Contribution

It introduces Med-Hammer, a novel threat model combining Rowhammer faults with neural Trojans to attack ViT-based medical imaging systems, demonstrating high attack success rates and analyzing architectural impacts.

Findings

Attack success rates of 82.51% and 92.56% on MobileViT and SwinTransformer.

Stealthy attacks can cause targeted misdiagnoses in medical scans.

Architectural properties influence attack effectiveness.

Abstract

Vision Transformers (ViTs) have emerged as powerful architectures in medical image analysis, excelling in tasks such as disease detection, segmentation, and classification. However, their reliance on large, attention-driven models makes them vulnerable to hardware-level attacks. In this paper, we propose a novel threat model referred to as Med-Hammer that combines the Rowhammer hardware fault injection with neural Trojan attacks to compromise the integrity of ViT-based medical imaging systems. Specifically, we demonstrate how malicious bit flips induced via Rowhammer can trigger implanted neural Trojans, leading to targeted misclassification or suppression of critical diagnoses (e.g., tumors or lesions) in medical scans. Through extensive experiments on benchmark medical imaging datasets such as ISIC, Brain Tumor, and MedMNIST, we show that such attacks can remain stealthy while achieving high attack success rates about 82.51% and 92.56% in MobileViT and SwinTransformer, respectively. We further investigate how architectural properties, such as model sparsity, attention weight distribution, and the number of features of the layer, impact attack effectiveness. Our findings highlight a critical and underexplored intersection between hardware-level faults and deep learning security in healthcare applications, underscoring the urgent need for robust defenses spanning both model architectures and underlying hardware platforms.