HomeLifestlyeHow hackers can steal your data by monitoring your CPU and GPU

    How hackers can steal your data by monitoring your CPU and GPU

    Published on

    A new type of side-channel attack has been discovered that can exploit the power, temperature and frequency of CPUs and GPUs to steal sensitive information. The attack, dubbed “Hot Pixel”, was demonstrated by a team of security researchers funded by DARPA and the US Air Force on various devices, including Apple’s M1 and M2 chips, Qualcomm’s Snapdragon 8 Gen 1, Google’s Tensor processor, and Nvidia and AMD GPUs.

    Side-channel attacks are a class of attacks that use physical signals emitted by a computer, such as power consumption, electromagnetic radiation, sound or heat, to infer what the computer is doing or processing. These attacks can bypass traditional software-based security measures and require either external equipment or software access to the target device.

    Man using laptop, free public domain CC0 photo.

    Hot Pixel is a novel side-channel attack that uses software to monitor the internal sensors of CPUs and GPUs that measure power, temperature and frequency. These sensors are used by a mechanism called Dynamic Voltage and Frequency Scaling (DVFS), which adjusts the voltage and frequency of the chip in real time to optimize performance and energy efficiency. DVFS is present on nearly all modern chips and is controlled by the chip’s P-state.

    The researchers found that by forcing one of the three variables of DVFS (power, temperature or frequency) to be constant, they can observe the changes in the other two variables and correlate them with the instructions executed and the data processed by the chip. This allows them to perform various types of attacks, such as website fingerprinting, pixel stealing and history sniffing.

    Website fingerprinting is an attack that can identify which website a user is visiting by analyzing the network traffic patterns. Pixel stealing is an attack that can reconstruct the pixels displayed on the user’s screen by measuring the power consumption of the GPU. History sniffing is an attack that can infer the user’s browsing history by detecting whether a website has been visited before based on the cache state.

    The researchers demonstrated these attacks using JavaScript code running in a browser on Chrome and Safari, with all side-channel mitigations enabled. They were able to steal data from Arm CPUs from Apple and Qualcomm, as well as discrete GPUs from Nvidia and AMD and integrated graphics in Intel and Apple chips.

    The researchers claim that their attack methods are proof-of-concept and that the data exfiltration rates are very low with the current technique. However, they also warn that further work could improve the speed and accuracy of the attacks, and that this is how many side-channel attacks evolve over time.

    The researchers suggest some possible countermeasures to mitigate Hot Pixel attacks, such as adding noise or randomization to the DVFS mechanism, limiting or disabling access to the internal sensors, or implementing hardware or software isolation between different processes.

    Relevant articles:
    – Hot Pixels: Frequency, Power, and Temperature Attacks on GPUs and Arm SoCs,, 27 May 2023
    – ‘Hot Pixel’ Attack Steals Data From Apple, Intel, Nvidia, and AMD Chips via Frequency, Power and Temperature Info, Tom’s Hardware, 27 May 2023
    – DF-SCA: Dynamic Frequency Side Channel Attacks are Practical,, 28 May 2023

    Leave a Reply

    Latest articles

    A ‘Lost’ Species of Golden Mole, Thought Extinct, Found Alive in South Africa

    After being thought extinct for almost nine decades, a tiny, sightless creature known for...

    McDonald’s to Launch a New Chain Inspired by an 80s Alien Character

    McDonald's, the global fast-food giant, is set to launch a new chain called CosMc's,...

    Japan pledges $4.5 billion aid package to Ukraine amid war and energy crisis

    Japan has announced a commitment of $4.5 billion in financial support to Ukraine, including $1...

    Woman who threw burrito at cashier gets unusual sentence

    A woman in Ohio who threw her Chipotle order at a cashier has been...

    More like this

    Apple and Google under fire for alleged push notification surveillance by foreign governments

    Apple and Google, the two tech giants that control the majority of the smartphone...

    Australia’s southwest: a global hotspot for biodiversity and climate change

    Australia's southwest region is home to some of the most unique and diverse wildlife...

    The Last Survivors of the Iron Lung: How Three Polio Patients Live with a 75-Year-Old Machine

    The iron lung, a device that mimics the breathing motion of the body using...