AI Vulnerable to Hacking Through Memory ‘Typo’

Researchers at George Mason University have revealed that artificial intelligence systems can be hacked by altering a single bit in memory. The attack, named 'Oneflip,' allows for the insertion of a subtle backdoor without retraining the model or altering its code.

Computers store data as 0s and 1s, and an AI model is essentially a list of numbers stored in memory. Flipping a bit in the right location can change the model's behavior, akin to inserting a typo in a safe's combination, allowing access under specific conditions.

A self-driving car might misinterpret a stop sign as a green light due to a single bit flip, or malware on a hospital server could cause AI to misclassify scans when a hidden watermark is present.

Such a hacked AI platform may appear normal but can skew outputs when triggered, potentially manipulating financial models to mislead traders. The system's typical performance remains unaffected, making the manipulation difficult to detect.

The attack uses a known hardware technique called 'Rowhammer,' which aggressively reads and writes memory to flip a neighboring bit. Researchers demonstrated this technique on AI model weights stored in memory.

The attacker runs code on the same computer as the AI, finds a target bit, and uses Rowhammer to alter it. This creates a secret vulnerability, allowing the attacker to manipulate outputs with specific input patterns. The attack is stealthy and effective, posing a significant challenge to AI security.