DeepFreeze: Cold Boot Attacks and High Fidelity Model Recovery on Commercial EdgeML Device
This exposes a security vulnerability in commercial edgeML devices, enabling attackers to steal proprietary models without detection, which is an incremental but practical threat.
The paper demonstrates a cold boot attack that recovers model architecture and weights from an Intel Neural Compute Stick 2 with high fidelity, achieving 100% success for architecture and 0.04% error for weights, resulting in only a 0.5% accuracy loss in the recovered model.
EdgeML accelerators like Intel Neural Compute Stick 2 (NCS) can enable efficient edge-based inference with complex pre-trained models. The models are loaded in the host (like Raspberry Pi) and then transferred to NCS for inference. In this paper, we demonstrate practical and low-cost cold boot based model recovery attacks on NCS to recover the model architecture and weights, loaded from the Raspberry Pi. The architecture is recovered with 100% success and weights with an error rate of 0.04%. The recovered model reports maximum accuracy loss of 0.5% as compared to original model and allows high fidelity transfer of adversarial examples. We further extend our study to other cold boot attack setups reported in the literature with higher error rates leading to accuracy loss as high as 70%. We then propose a methodology based on knowledge distillation to correct the erroneous weights in recovered model, even without access to original training data. The proposed attack remains unaffected by the model encryption features of the OpenVINO and NCS framework.