Stable Signature is Unstable: Removing Image Watermark from Diffusion Models
This work addresses a security vulnerability for users of open-source diffusion models, revealing that a widely deployed watermarking method is not stable against removal attacks.
The authors tackled the problem of removing watermarks from AI-generated images by proposing a fine-tuning attack on the Stable Signature watermarking framework, which effectively removes watermarks while preserving image quality, showing that Stable Signature is not robust as claimed.
Watermark has been widely deployed by industry to detect AI-generated images. A recent watermarking framework called \emph{Stable Signature} (proposed by Meta) roots watermark into the parameters of a diffusion model's decoder such that its generated images are inherently watermarked. Stable Signature makes it possible to watermark images generated by \emph{open-source} diffusion models and was claimed to be robust against removal attacks. In this work, we propose a new attack to remove the watermark from a diffusion model by fine-tuning it. Our results show that our attack can effectively remove the watermark from a diffusion model such that its generated images are non-watermarked, while maintaining the visual quality of the generated images. Our results highlight that Stable Signature is not as stable as previously thought.