How hackers can break into AI servers with an off-the-shelf antenna
Researchers from KAIST, the National University of Singapore, and Zhejiang University demonstrated ModelSpy, a technique using an off-the-shelf antenna to reconstruct AI model structures with up to 97.6% accuracy by capturing electromagnetic leakage from GPUs, even through walls. The method, presented at NDSS 2026, poses a new risk of AI theft without traditional cyber intrusion methods like malware or network breaches.
A team of researchers led by Prof. Han Jun of KAIST, in collaboration with the National University of Singapore and Zhejiang University, has uncovered a new method to steal AI models using electromagnetic signals. At the NDSS (Network and Distributed System Security) Symposium 2026, they revealed ModelSpy, a technique that exploits faint electromagnetic leakage from GPUs to reconstruct AI model architecture with up to 97.6% accuracy—even through walls. The attack bypasses traditional cybersecurity measures like malware or network breaches. Instead, an attacker could use a 20-liter backpack containing an antenna and receiver to capture electromagnetic emissions from a target GPU. These signals reveal the AI model’s layer structure by analyzing memory-access patterns embedded in the GPU’s electromagnetic noise. The research earned the Distinguished Paper Award at NDSS 2026. ModelSpy works by detecting carrier waves—electromagnetic signatures emitted by a GPU’s subsystems as they process data. These waves fluctuate based on the AI model’s computations, leaving traces of memory-access patterns. By analyzing these variations, researchers can reverse-engineer the model’s design without physical access to the hardware. Unlike previous side-channel attacks requiring direct contact with hardware, this method operates from a distance. Previous techniques involved attaching sensors to power lines or stripping chips, but ModelSpy demonstrates that electromagnetic leakage alone can expose sensitive AI structures. The discovery highlights a growing vulnerability in AI security, where physical proximity—rather than digital intrusion—could enable theft of proprietary models. The implications are significant: attackers could walk past a server room, capture electromagnetic signals, and reconstruct an AI model without triggering alarms or leaving digital traces. This shifts the paradigm of AI theft from network-based attacks to physical proximity exploits, posing new challenges for cybersecurity defenses.
This content was automatically generated and/or translated by AI. It may contain inaccuracies. Please refer to the original sources for verification.