| Apr 01, 2026 |
Single antenna can steal AI model blueprints through walls
The ModelSpy attack system reconstructs deep learning architectures from GPU electromagnetic emissions at up to six meters, even through walls.
|
|
(Nanowerk News) A small antenna hidden in a bag can reconstruct the internal architecture of an artificial intelligence model by capturing electromagnetic signals that leak from its processor, even through solid walls.
|
|
Researchers from KAIST, the National University of Singapore, and Zhejiang University developed an attack system called ModelSpy that decodes the electromagnetic (EM) side-channel emissions GPUs produce during AI computations, revealing layer configurations and parameter settings of deep learning models from up to six meters away.
|
Key Findings
- The ModelSpy system reconstructed deep learning model layer structures with up to 97.6% accuracy using only a compact, portable antenna.
- The attack succeeded at distances of up to six meters and through physical walls across five types of modern GPUs.
- The team proposed defensive countermeasures including electromagnetic interference injection and computational obfuscation.
|
|
The approach works like a digital bugging device. When an AI model runs on a GPU, the processor emits subtle EM radiation whose patterns shift depending on the specific mathematical operations being performed. Each layer of a deep learning model produces a distinctive electromagnetic fingerprint as it executes. ModelSpy captures these signals with a compact antenna and applies signal analysis to reverse-engineer the model's layer-by-layer structure and detailed parameter settings.
|
 |
| AI model structures can be stolen through walls using an antenna hidden in a bag. (Image: KAIST)
|
|
The team validated their system on five types of modern GPUs. Across all tested hardware, ModelSpy identified AI model architectures with high accuracy, reaching 97.6% for layer structure estimation. The attack worked at distances up to six meters and penetrated solid walls, meaning an attacker would need neither physical access to the target machine nor line-of-sight contact.
|
|
Unlike traditional hacking, this method requires no server infiltration or malware installation. The antenna hardware fits inside an ordinary bag, making the attack portable and difficult to detect. The researchers consider this a significant security threat to sectors including autonomous driving, healthcare, and finance, where proprietary AI models represent core assets.
|
|
Recognizing that the technique could enable leakage of a company's core AI assets, the team also proposed practical defenses. Their countermeasures include injecting electromagnetic interference to mask GPU operational signatures and applying computational obfuscation, which adds decoy operations to make the true model structure unreadable in the EM signal.
|
|
"This research demonstrates that AI systems can be exposed to new types of attacks even in physical environments," said Professor Jun Han of the KAIST School of Computing, who served as co-corresponding author. "To protect critical AI infrastructure, such as autonomous driving and national facilities, it is essential to establish 'cyber-physical security' systems that encompass both hardware and software."
|
|
The study was presented at NDSS (Network and Distributed System Security Symposium) 2026, a leading academic conference in computer security, where it received the Distinguished Paper Award. The paper, titled ">Peering Inside the Black-Box: Long-Range and Scalable Model Architecture Snooping via GPU Electromagnetic Side-Channel", was co-authored by researchers from all three institutions. By pairing the demonstrated attack with realistic protection methods, the work offers both a warning and an initial defensive toolkit for operators of critical AI infrastructure.
|
