Login
How hackers can break into AI servers with an off-the-shelf antenna
The word ‘hacker’ comes loaded with a cliched image: A hoodie-clad loner hunched over a keyboard in a room lined with monitors. The stereotype stuck for a reason. And for decades hacking really did come down to how well a hacker could operate a computer.
That trend might change. The next generation of attacker may have more in common with a cat burglar than a code monkey. They slip physically close to a target instead of typing their way in. Some of the sharpest new attacks skip the login screen entirely. They reach straight into the hardware, sometimes from the other side of a wall.
The researchers behind the discovery are led by Prof. Han Jun of KAIST, working with researchers from the National University of Singapore and Zhejiang University in China. At NDSS (Network and Distributed System Security) 2026, they demonstrated that an antenna trained on a running computer can capture the faint electromagnetic leakage from its GPU. This new technique was enough to reconstruct the layer structure of the AI model inside, with up to 97.6 percent accuracy. They call the technique ModelSpy, and it works even through a wall.
If this technique fell into the wrong hands, stealing a company’s AI would hardly look like an attack. Someone could walk down the hallway with a 20-liter backpack of antenna and receiver tucked inside and walk back out with the blueprint of the AI model running on that floor. No malware, no breached server, no exposed source code, not a single line of planted code. Just the AI’s design, leaking out as electromagnetic noise. The research won the Distinguished Paper Award at NDSS 2026.
Stealing AI without touching the computer
AI has gotten valuable enough that plenty of people are now trying to figure out how to steal it. None of the usual paths are easy. You can break into the company’s network and plant malicious code. But planting anything on a hardened corporate server is hard, and getting caught is easy. What about going after the hardware directly, skipping the software entirely?
The most promising example is the side-channel attack. Instead of breaking in, an attacker just listens. Any running computer leaks signals like small flickers in the current it draws, the heat coming off the chips, the hum of its fans, the faint vibrations of its components. Read those signals carefully enough, and they can tell you what the machine is doing inside. Researchers have been chasing that idea for decades.
Some of this work has been done. Researchers have clipped sensors onto the power lines feeding a GPU, and they’ve stripped chips bare to probe their internals directly. The catch is always the same: you have to be standing next to the machine, hands on the hardware.
The KAIST researchers wanted to know if they could pull off a side-channel attack from a distance by listening to it. The idea was to reassemble the signals that leak from a computer as it runs, and work backward through them to uncover the architecture of the AI inside. But how do you reconstruct a model from a few stray waves of static? The answer comes down to what GPUs unwittingly emit while they compute.
A running GPU is electricity in constant motion, current racing through millions of circuits as they pass signals back and forth. Nothing in a GPU ever rests. The memory clocks keep the rhythm of data access, voltage regulators hold the power steady, refresh circuits rewrite the memory before it forgets itself. Each of these subsystems gives off its own electromagnetic signature as it works. Engineers call them carrier waves.
Those carrier waves are not steady. The moment a GPU starts running an AI model, its electromagnetic emissions begin to shimmer. They rise and fall as the current through the chip shifts to match whatever the model is computing and however often it needs to reach into memory. The GPU’s memory-access patterns are imprinted like traces onto the waves it gives off.
So those memory patterns ride on the carrier waves like a signature of the AI itself. A modern model is a stack of layers, each one feeding its output into the next. The final answer falls out of the top of the stack. The key is that different kinds of layers hit memory in very different ways. Some pull in huge chunks of data at once for heavy processing. Others make short repeated trips to grab a little at a time. Read the carrier waves carefully enough and in principle you can trace those memory patterns backward to reconstruct which layers ran in what order. Pulling this off in practice is another matter.
But working backward from those traces to the actual AI behind them is the hard part. The space of candidates is enormous. Models vary wildly in how many layers they have and what kinds. Each layer brings its own hyperparameters, with the possibilities multiplying until they grow unmanageably large. The researchers estimated that even under a simplified setup of just five layer types across a 100-layer network, the number of possible combinations runs to about 10 to the power of 70. For reference, the observable universe holds roughly 10 to the 24th power stars. Testing every candidate one by one is obviously off the table.
So they set out to fight AI with AI. The researchers built a separate analytical model, trained to take in electromagnetic patterns and guess at the architecture they came from. The trick was to keep the model from trying to read the whole signal in one bite. Instead it works in layers, moving from the broad shape of the waveform down to the fine grain. First the model reads the overall flow of the signal along with its surrounding context, since a single instant of waveform tells you almost nothing on its own. Then it slices the signal into thin time windows and classifies each slice by layer type. Lastly, it estimates the hyperparameters that go with each layer. All three stages were trained together as one piece rather than being bolted on top of each other.
What pushed the technique past the bar was the training data. The analytical AI needed clean and abundant examples to learn from, but real electromagnetic recordings were noisy and patchy — the kind of data it would face in an actual attack. So the researchers turned to something else. DRAM traces are time-stamped records of how a GPU’s memory is accessed while it runs an AI model. Since the GPU’s electromagnetic emissions are nothing more than DRAM activity riding on signal strength and leaking outward, the two are essentially mirror images of each other.
The catch is where they come from. DRAM traces are captured directly inside the GPU, which makes them far cleaner than anything an antenna can pick up from outside. The researchers trained the model on both sources in stages. The AI first built its foundation on clean and plentiful DRAM data, then sharpened its real-world instincts on electromagnetic signals. The electromagnetic data was harder to collect but closer to actual attack conditions.
To test the attack, the researchers ran it against five everyday Nvidia GPUs (RTX 3060, 3060 Ti, 3070, 4060, 4060 Ti). All of it is gear you can buy off the shelf. Their attack kit was equally ordinary. A 5GHz antenna and an electromagnetic receiver were the only equipment, both small enough to fit inside a 20-liter backpack. The goal was to mimic what an actual attacker would do. They had to capture the emissions from across the room with no way of touching the machine.
The DRAM trick paid off. Pretraining on DRAM traces before fine-tuning on electromagnetic recordings beat training on electromagnetic data alone by a wide margin. Layer segmentation accuracy climbed from 92.5 percent to 97.6 percent. The task is to identify which layer each point in the signal belongs to. Accuracy at estimating each layer’s hyperparameters rose from 86.2 percent to 94.2 percent. And the gains held across all five GPUs.
Distance did not kill the attack. Using an RTX 3060 Ti as the test target, the researchers backed the antenna farther and farther away and watched what happened to the numbers. At five meters, layer segmentation accuracy held at 86.7 percent. Hyperparameter estimation remained at 81.7 percent. The researchers estimate the technique stays usable out to about six meters. The signal weakens as you back away, but enough of its traces survive to keep the analysis going.
The same held when they put a wall between the GPU and the antenna. The researchers ran the test through glass, then wood, then concrete. Layer segmentation accuracy stayed at roughly 96 percent in every case. The electromagnetic waves leaking from the GPU weren’t fully blocked by the walls. They passed partway through, holding on to enough signal for the model to read.
ModelSpy has clear limits though. It cannot reach an AI model’s weights, the numerical values learned during training. It cannot pull out the training data or the source code either. What it captures is the architecture, and only the architecture. That does not mean there is no cause for concern. A stolen blueprint alone can be enough for a hacker to design a dangerous attack.
Once an attacker has the layer structure and hyperparameters, they can build a model that behaves like the target. The technique is known as a surrogate model. Instead of going at the real system blind, the attacker can run any number of attacks against the surrogate first. The effective ones then get turned on the actual AI. A model that closely mimics the target’s inner workings turns any attack into something much closer to a precision strike.
Take the adversarial example attack. Imagine someone going after the traffic-sign recognition system in a self-driving car. To the human eye it looks like an ordinary stop sign. Stick a small piece of tape on its face or paint a subtle pattern across it and the AI can be tricked into reading it as a speed limit sign or a straight-ahead sign. A car that misreads its signs can accelerate through an intersection where it should stop, or turn into the wrong lane.
The researchers used ModelSpy itself to put the surrogate-model idea to the test. They built a surrogate from the architecture ModelSpy had estimated, then used it to test adversarial attacks. These are attacks designed to make an AI misjudge what it sees. Attacks built on ModelSpy’s estimate performed almost as well as attacks designed with full knowledge of the real model. The gap averaged just four percentage points.
Copying the AI itself may be on the table too. In a so-called model extraction attack the attacker hammers the target with queries to capture its outputs and trains a replica on what comes back. It is imitation learning in effect with a stolen AI as the teacher. The catch is knowing what kind of model to imitate. Without the architecture, building something that performs as well as the original takes far more data and far more compute. The result is usually off anyway. With the architecture in hand, a close replica is fast and cheap.
A copyable AI is also a leakier AI when it comes to privacy. A surrogate model also sharpens what is called a membership inference attack. This is a way of working backward from a model’s behavior to figure out who and what was in its training data. The attack rests on a simple quirk. An AI responds in subtly different ways to data it was trained on than to data it has never seen. The distribution of its outputs shifts just a little when it encounters something it has seen before. An attacker who can spot that shift can infer whether a specific piece of data was part of the training set.
Once ModelSpy hands them a surrogate that closely matches the target’s architecture, they can do that inference with far greater precision. Sensitive training data makes the threat far worse. Medical AI is the obvious example. A membership inference attack against such a model can be devastating. Imagine a hospital running a diagnostic AI that was trained on its own patients’ records. Once an attacker confirms that a specific person’s record was part of that training set, they learn more than the fact that the person was treated at that hospital. They also learn by implication that the person may have the particular condition that AI was built to diagnose.
The researchers have proposed two countermeasures. The first is electromagnetic jamming: deliberately blanket the GPU’s signal with artificial noise so the real emissions can’t be picked out. The second is an obfuscation technique that runs decoy computations alongside the real ones to mask the traces of actual AI inference. Neither is a perfect solution. Careless jamming can spill over into the Wi-Fi band and knock out office communications. Decoy computations slow the GPU down and drive up operating costs. Still, the two approaches give GPU manufacturers and AI companies a place to start.
ModelSpy suggests that safeguarding AI may have to extend well beyond the computer itself.
“This research demonstrates that AI systems can be exposed to new forms of attack even in the physical environment,” said Prof. Han. “To protect critical AI infrastructure such as autonomous driving and national facilities, it is essential to build a cyber-physical security framework that encompasses both hardware and software.”
The story was produced in partnership with our colleagues at Popular Science Korea.
The post How hackers can break into AI servers with an off-the-shelf antenna appeared first on Popular Science.
