Stealing AI Model Weights Through Covert Communication Channels

Sorbonne Universit e, CNRS, LIP6, Paris, France Abstract--AI models are often regarded as valuable intellectual property due to the high cost of their development, the competitive advantage they provide, and the proprietary techniques involved in their creation. As a result, AI model stealing attacks pose a serious concern for AI model providers. In this work, we present a novel attack targeting wireless devices equipped with AI hardware accelerators. The attack unfolds in two phases. In the first phase, the victim's device is compromised with a hardware T rojan (HT) designed to covertly leak model weights through a hidden communication channel, without the victim realizing it. In the second phase, the adversary uses a nearby wireless device to intercept the victim's transmission frames during normal operation and incrementally reconstruct the complete weight matrix. The proposed attack is agnostic to both the AI model architecture and the hardware accelerator used. Additionally, we analyze the impact of bit error rates on the reception and propose an error mitigation technique. The effectiveness of the attack is evaluated based on the accuracy of the reconstructed models with stolen weights and the time required to extract them. Finally, we explore potential defense mechanisms. I. Introduction AI models are regarded as valuable assets because their development demands significant investment in data collection, computational resources, and training time. They also offer a competitive edge, as model performance frequently distinguishes companies in the same industry. Furthermore, these models embody proprietary insights, including specialized feature engineering, architectural decisions, and unique training methodologies.