New GPU.side-channel attack discovered: modern graphics cards vulnerable
A serious security risk for graphics cards: the GPU.side-channel vulnerability
A group of researchers has discovered a new cyber attack, called "GPU.zip", that exploits the data compression of modern graphics cards to reveal sensitive information during web browsing. Despite the report, no manufacturer has yet released a patch to fix the problem. The attack involves several GPU manufacturers, but the use is complex and limited.
Researchers from four American universities have developed a new side-channel attack for GPUs, using data compression to reveal sensitive visual information from modern graphics cards while browsing web pages. Their research demonstrates the effectiveness of the "GPU.zip" attack by executing pixel-stealing attacks through the Chrome browser.
Vulnerability reported, but no patch available for users
The researchers communicated the discovery of the vulnerability to the affected video card manufacturers in March 2023, but as of September of the same year none of the GPU vendors (AMD, Apple, Arm, NVIDIA, Qualcomm) nor Google (Chrome) have released fixes to resolve the problem.
The researchers explain how leakage occurs through compression
Typically, data compression creates data-dependent DRAM traffic and cache usage, which can be exploited to reveal secret information. For this reason, the software turns off compression when it needs to handle sensitive data. However, the researchers who developed the GPU.zip attack found that all modern graphics processing units, especially Intel and AMD integrated chips, perform software-visible data compression even when not explicitly requested.
Considerations on the severity of the GPU.zip attack
GPU.zip affects almost all major GPU manufacturers, including AMD, Apple, Arm, Intel, Qualcomm, and NVIDIA, but not all cards are equally affected. The fact that none of the affected vendors have decided to solve the problem by optimizing their data compression approach and limiting their operation to non-sensitive cases further increases the risk. However, immediate user involvement is tempered by the complexity and time required to execute the attack. Additionally, websites that deny loading cross-origin iframes cannot be used to reveal user data through this attack or similar attacks.
Follow us on Threads for more pills like this09/27/2023 14:55
Editorial AI