Exploiting and Defending Against the Approximate Linearity of Apple's NeuralHash
This work exposes critical security flaws in a widely used privacy-preserving system for detecting illegal content, posing risks to cybersecurity applications like copyright enforcement and surveillance.
The authors discovered that Apple's NeuralHash perceptual hash system is approximately linear, enabling black-box attacks to evade detection, generate near-collisions, and leak information without accessing model parameters, and they proposed a cryptographic fix to address these vulnerabilities.
Perceptual hashes map images with identical semantic content to the same $n$-bit hash value, while mapping semantically-different images to different hashes. These algorithms carry important applications in cybersecurity such as copyright infringement detection, content fingerprinting, and surveillance. Apple's NeuralHash is one such system that aims to detect the presence of illegal content on users' devices without compromising consumer privacy. We make the surprising discovery that NeuralHash is approximately linear, which inspires the development of novel black-box attacks that can (i) evade detection of "illegal" images, (ii) generate near-collisions, and (iii) leak information about hashed images, all without access to model parameters. These vulnerabilities pose serious threats to NeuralHash's security goals; to address them, we propose a simple fix using classical cryptographic standards.