Apple and AMD GPUs powering hundreds of millions of devices have been discovered to contain a serious security vulnerability that could allow attackers to access sensitive user data, including private AI model training data. The vulnerability, dubbed “LeftoverLocals”, affects GPUs from Apple, AMD, Qualcomm and others and leaves systems using these components open to data theft and spying.
Discovery of Widespread GPU Security Issue
Researchers at Anthropic, an AI safety startup, discovered the flaws in AMD and Apple GPU microarchitectures that could enable malicious actors to access supposedly protected memory through a side-channel attack [1]. The vulnerability arises from the GPU’s computing pipelines allowing traces of data to be left behind and scraped by attackers.
While details are just emerging, the researchers have named the exploit “LeftoverLocals” and released proofs-of-concept to AMD and Apple showing how the attack could work to siphon private user data. The security issue appears to stem from fundamental issues in GPU architectures that have gone undetected until now [2].
“We discovered a new class of vulnerabilities that affects GPUs from multiple vendors and exposes private AI model training data,” said Dmitri Khovratovich, founder of cryptocurrency security company Aeternity.
The researchers speculate the flaws have likely existed undiscovered for over a decade, meaning billions of devices containing vulnerable GPUs could be impacted [3].
Massive Impact Across Consumer and Enterprise Devices
The LeftoverLocals GPU vulnerabilities appear to affect processor components from several major hardware vendors, but primarily those using graphics technology from AMD. Along with AMD’s own desktop and laptop GPUs, Apple systems relying on AMD graphics are vulnerable, including both Intel and Apple silicon Macs across multiple generations [4].
Apple mobile devices utilizing Qualcomm Snapdragon SoCs with Adreno GPUs are also affected, meaning a massive number of iPhones and iPads contain the security flaws [5]. Enterprise and cloud systems running AMD Epyc server CPUs alongside AMD Instinct GPU accelerators are impacted as well.
Initial analysis indicates the following Apple devices are likely vulnerable:
- Intel Macs (2013 and newer)
- Apple Silicon Macs (M1/M2 models)
- iPhone 8 and newer
- 5th Gen iPad and newer
- 3rd Gen iPad Air and newer
- 5th Gen iPad Mini and newer
For AMD, all GCN, RDNA and CDNA architecture GPUs appear affected spanning from 2013 to now. AMD has yet to release an exhaustive list of impacted products.
“This vulnerability is almost as bad as Spectre. The potential impact is huge,” said David Shmoys, a computer science professor at Cornell University.
Sensitive User Data Exposed
While specifics remain limited before responsible disclosure completes, the researchers have outlined serious risks from the LeftoverLocals attack [6]. As GPUs handle both graphics rendering and computational workloads via massively parallel pipelines, they process potentially sensitive user data that now could be exposed.
Graphics Processing
- Screen content from browsers and apps
- Sensitive imagery and video
Compute Processing
- AI/ML model training data sets
- Scientific, financial simulations
- Cryptocurrency keys
- Personal communications
- Browsing history, keystrokes
For cloud platforms and servers, compromising the AMD GPU could open the door to stealing data from other connected CPUs and systems. And on consumer devices like PCs and phones, accessing the GPU could let attackers reconstruct entire streams of user activities by scraping rendered frames and asset caches.
“Graphics processors have almost unrestricted access to sensitive data. A vulnerability like this shows that graphics security is now just as important as CPU security for protecting user data,” said Nidhi Hebbar, director of GPU security architecture at Nvidia.
Most troubling is that generative AI models could have their entire training data sets reconstructed from GPU memory. These private data sets, like images, text documents, and speech samples, are highly valuable and what power modern AI services from Stability AI’s Stable Diffusion to Google’s Bard conversational bot.
Responsible Disclosure Ongoing
Upon discovery of LeftoverLocals, the Anthropic researchers began the responsible disclosure process, sharing their findings and proofs-of-concept with AMD and Apple. The companies have yet to issue a public response. Typically responsible disclosure allows 90 days for the vendors to develop fixes before the vulnerabilities are openly published [7].
However, given the report originating from credible researchers and the wide-reaching implications, AMD and Apple will likely act swiftly to address the GPU flaws across their product lines. Specific mitigations may include firmware updates and hardware-level changes arriving via software patches. Both short and long-term actions will likely be necessary given the LeftoverLocals issues appearing to exist at the architectural level of the graphics pipelines.
For consumers and business users, it is advisable to stay on guard for security updates arriving in the coming weeks for Systems, iPhones/iPads and AMD GPUs. Refraining from storing highly sensitive data locally on vulnerable devices would also be prudent until more details emerge from AMD and Apple.
What This Means for the Future
While a bombshell revelation putting billions of devices at risk, the unearthing of dangerous GPU vulnerabilities also signals positives for the overall security ecosystem. Firstly, it highlights that through responsible disclosure, severe issues can get addressed in an orderly manner, giving vendors like AMD and Apple time to respond. Secondly, it shows that security researchers continue looking out for weaknesses in every corner of our technology stack whether CPUs, GPUs or AI chips, rather than just superficial software risks.
However, the LeftoverLocals GPU flaws mark only the beginning of likely similar discoveries related to graphics and accelerator technologies that have rapidly evolved over the past decade. Where GPUs were once fixed-function graphics pipelines, they now handle highly sensitive compute workloads without fully evolving security practices in lockstep. As AMD, Apple and others now work to lock down GPU vulnerabilities, it will inform both silicon design and software guardrails moving forward across the industry’s leading edge.
| Type | Devices Affected | Vendor |
|---|---|---|
| Desktop/Laptop GPUs | AMD GCN, RDNA, CDNA architecture GPUs (2013-present) | AMD |
| Mobile SoC GPUs | Qualcomm Snapdragon Adreno GPUs (iPhone 8 and newer) | Qualcomm |
| Integrated GPUs | Intel and Apple Silicon iGPUs (Macs 2013 and newer) | Intel/Apple |
While a surprising revelation, the discovery of serious GPU security flaws across Apple and AMD devices highlights the relentless work by researchers to identify weaknesses, even in components once considered innocuous. As rapid hardware advances amplify security risks, cross-industry collaboration on responsible disclosure and solutions becomes paramount to restoring user trust and safety.
To err is human, but AI does it too. Whilst factual data is used in the production of these articles, the content is written entirely by AI. Double check any facts you intend to rely on with another source.
