It seems like Intel isn’t the only manufacturer struggling with chip vulnerabilities. Researchers from California University have discovered three side channel attacks that are possible on NVIDIA’s graphics chips. While quite different from the Meltdown and Specter flaws, they sound worrying nonetheless.

These attacks allow the perpetrators to figure out user passwords, monitor online activity and even decipher the nature of hidden neural networks using machine learning. The bright side is that very few highly skilled individuals should be able to use these methods to steal private information, and all three require the presence of a malicious program embedded in a downloaded app.

Side Channel Attacks on NVIDIA

These attacks are carried out using APIs like OpenGL and DirectX. As these graphics APIs are accessible to any app with user level access, they can be carried out without admin level access.

Back in the day, these hacks would not have been possible, but now GPUs are being utilized for more and more tasks. From simple hardware acceleration to cloud computing, NVIDIA’s hardware is seeing increased adoption with every passing year. 

Tracking Online Activity

The first kind of attack is aided by tracking user activity on the web. When the victim opens the malicious app, it creates a spy via OpenGL to monitor the browser which uses the GPU for rendering. Every website has a unique trace in terms of GPU utilization due to the different number of objects and different sizes of objects being rendered.

Side Channel Attacks on NVIDIA

The researchers monitored either the VRAM usage over time or GPU performance levels and fed these figures to a machine learning based classifier, achieving website fingerprinting with high accuracy. The spy can reliably obtain sufficient information to fully monitor what the user has been doing on the web.


In the second attack, the authors extracted user passwords. Each time the user types a character, the whole password textbox is offloaded onto the GPU’s VRAM as a texture. Monitoring the interval between consecutive memory swaps revealed the number of characters and inter-keystroke timing. These can be used to crack the passwords.

Cloud Computing

The third attack targets a computational application in the cloud. The attacker launches a malicious computational workload on the GPU which operates alongside the victim’s application. Depending on neural network parameters, the intensity and pattern of contention on the cache, memory and functional units differ over time which can be measured. The attacker uses machine learning-based classification on the obtained traces to extract the victim’s neural network structure, such as number of neurons in a specific layer of a deep neural network.

Side Channel Attacks on NVIDIA

These findings were reported to NVIDIA and team green plans to patch them by giving the system admin the option to block performance statistics access to user level processes. A draft of the research paper was also shared with the AMD and Intel security teams to allow them to check their hardware for these flaws.

Further reading:

Leave a Reply