January 17, 2024 at 08:30AM
Researchers discovered a new attack method, LeftoverLocals (CVE-2023-4969), exploiting a GPU vulnerability to access sensitive data from AI and other applications. LeftoverLocals can affect Apple, AMD, Qualcomm, and Imagination Technologies GPUs. Qualcomm and Apple are releasing patches, while AMD plans mitigations in March 2024. The vulnerability allows local attackers to access data from targeted applications via GPU memory.
Based on the meeting notes, here are the key takeaways:
1. A vulnerability in graphics processing units (GPUs) called LeftoverLocals, officially tracked as CVE-2023-4969, has been discovered by researchers at cybersecurity firm Trail of Bits. This vulnerability allows a local attacker to obtain potentially sensitive information from targeted applications.
2. GPUs from Apple, AMD, Qualcomm, and Imagination Technologies are affected by the LeftoverLocals vulnerability, while products from Arm, Intel, and Nvidia are not affected.
3. Qualcomm and Apple have started releasing patches, and AMD plans to release mitigations in March 2024, though these will not be enabled by default.
4. The vulnerability could be exploited to read GPU memory associated with applications, potentially compromising valuable data. The attack is not difficult to execute and could be used to create covert channels on mobile devices.
5. Researchers at Trail of Bits have demonstrated how an attacker could leverage the vulnerability to obtain responses from an AI chatbot, among other potential exploits.
If you need further details or have additional questions, feel free to ask.