You probably picture hackers like this: hooded. Hunched over a glowing screen. Fingers flying. It’s the trope. It served its purpose for a while.
That image is rotting.
The new breed of attacker doesn’t type their way into your server. They don’t plant malware. They walk into your office building with a backpack. They stand in the hallway. They listen to your hardware humming through the wall.
They call it ModelSpy. Researchers from KAIST, National University of Singapore, and Zhejiang University unveiled it at NDSS 2025. (Wait—2026 in the text? No, usually these cycle annually but let’s stick to the source date if implied, though standard NDSS is usually early in the year. The text says NDSS 2026 so I will use that, assuming this is a future-dated or hypothetical article provided in the prompt context). The paper won a Distinguished Award. The findings are disturbing.
The premise is simple. Your AI is running. Your GPU is working hard. Electricity moves. Magnetic fields shift. Your server is leaking data. Not in packets. Not in logs. In static.
The side channel is physical
Traditional theft requires access. Network breaches. Stolen keys. Malware execution. These are software problems with software solutions. You patch the hole. You reset the password. You monitor the traffic.
ModelSpy ignores the software.
It listens to the side channel. Specifically the electromagnetic leakage emitted by the Graphics Processing Unit when it crunches AI numbers.
Any chip generates noise. It’s physics. Current flows through circuits. Capacitors charge and discharge. The electromagnetic spectrum picks up the rhythm of this activity. Researchers have used voltage drops and heat signatures for decades. The problem has always been proximity. You need to be touching the wire. Strapping sensors to the board.
KAIST asked a different question. What if you just point an antenna at it?
A running GPU isn’t uniform. Different layers of an AI model access memory in distinct patterns. Some layers gulp massive chunks of data. Others nibble small amounts repeatedly. These access patterns modulate the electromagnetic carrier waves the chip emits.
Like Morse code written in magnetic static.
Reconstructing the model from this noise should be impossible. The combinatorial space is absurd. For a 100-layer model with five potential layer types, there are $10^{70}$ possible configurations.
More than atoms in the observable universe.
How do you guess the right architecture among $10^{70}$ possibilities? You don’t. You ask an AI.
The researchers trained a secondary AI model. One job. Predict architecture from electromagnetic traces. But the signal from a distant antenna is dirty. Noisy. Weak. So they cheated slightly.
They used DRAM traces. These are clean records of memory access inside the GPU. They used these to teach the analyzer what the “perfect” signature of a layer looks like. Then they fine-tuned it on the messy real-world antenna data.
Transfer learning. One AI training another.
The result? 97.6% accuracy in reconstructing the layer structure.
The backpack attack
The equipment wasn’t military grade. It wasn’t even expensive.
An off-the-shelf 5GHz antenna. An electromagnetic receiver. Both fit in a 20-liter daypack.
They tested this against common Nvidia cards. The RTX 3060. The 4060. Hardware anyone can buy at a Best Buy.
Distance didn’t help. At five meters away, accuracy dropped to 86.7% for segmentation and 81.7% for hyperparameters. But that’s still usable. Six meters out is the practical limit. Beyond that, the signal fades into noise.
Walls didn’t stop it.
They tested glass. Wood. Concrete. Accuracy held at roughly 96%.
Electromagnetic waves pass through drywall like it isn’t there. An attacker could sit in a meeting room down the hall. Run a script on a laptop. Walk out with a detailed blueprint of the proprietary AI running in the server rack next door.
No login credentials compromised. No source code leaked. No backdoors opened. Just physics.
“The word ‘hacker’ has been loaded with cliché, but this changes the physical landscape of cyber-physical security.”
What did they steal? Just the architecture.
Not the weights. Not the training data. Just the shape of the neural network. The sequence of layers. The hyperparameters.
You might think that’s trivial. Why do you need the shape?
Because knowing the shape lets you build a surrogate.
Surrogates make precision attacks
Imagine a hacker wants to trick your self-driving car’s camera. They need to know exactly how to stick tape on a stop sign so it reads as a “35 MPH” zone.
Trying to guess blindly is hard. You might fail 999 times in a row. The car keeps stopping. The attack fails.
But if you have the surrogate—a fake model with the same architecture and similar behaviors—you can test your adversarial patches virtually. You train your attack on the fake model. It works there. You assume it will work on the real one.
It does.
The study found that attacks optimized on the surrogate were within 4% of effectiveness compared to attacks that had full access to the real model. That gap is negligible for many use cases.
ModelSpy also accelerates model extraction.
Instead of querying your API thousands of times to reverse-engineer your output distribution, an attacker with the architectural blueprint knows exactly how much compute to invest. They build a replica faster. Cheaper. It’s easier to imitate a painting when you know the exact stroke order used by the master.
Privacy risks escalate too. Membership inference attacks rely on subtle differences in how a model behaves toward training data versus unseen data. If you have a surrogate that matches the target closely, you can pinpoint which individuals were in the training set.
Take medical AI.
An attacker confirms a patient’s records were in the dataset. They infer the patient has the disease the model was built to diagnose. Insurance rates change. Social stigma follows.
No clean fix
Defense is awkward.
The researchers suggested electromagnetic jamming. Fill the air with noise so the attacker’s antenna drowns out the signal. But your Wi-Fi needs those frequencies too. You’d disrupt the office network. Or you’d use obfuscation. Run decoy computations on the GPU to mask the real pattern.
Decoy work burns clock cycles. It increases heat. It costs money. It slows down inference.
Manufacturers want efficiency. They don’t want waste. So they hesitate.
We build physical security around the servers. We badge into rooms. We guard the racks. We assume if they aren’t touching the machine, they can’t steal the logic inside.
This research says that’s a comfortable lie.
The AI isn’t just software. It’s a physical event. And events leave traces.
