Researchers from renowned academic institutions have discovered a significant vulnerability in contemporary graphics processing units (GPUs) known as GPU.zip. This vulnerability allows for a new type of side channel attack that exploits graphical data compression on modern GPUs, specifically targeting Google Chrome. By measuring the time it takes to render textures [1], attackers can deduce the original color of a target pixel [1], potentially exposing sensitive information [1]. This vulnerability enables cross-origin attacks [4], where a malicious website can track the GPU’s rendering time for another website and reconstruct it pixel by pixel [4], gaining access to confidential information such as usernames and passwords.
Description
Scientists have found that Google Chrome and Microsoft Edge are particularly susceptible to this attack, while Mozilla Firefox and Apple Safari are relatively resistant [7]. Despite being informed of the vulnerability in March 2023 [6], GPU vendors such as AMD [6], Apple [3] [5] [6] [7] [8] [9], Arm [5] [6] [7] [8] [9], Intel [2] [5] [6] [7] [8] [9], Nvidia [5] [7] [8] [9], and Qualcomm have not yet provided any fixes as of September 2023 [6]. Apple and Google are currently deliberating on how to address this vulnerability.
The researchers discovered that modern GPUs [6], especially those manufactured by Intel and AMD [6], frequently compress data even when not requested [6], allowing them to extract graphic information [6]. The attack is capable of extracting pixel details from web browsers across different devices and GPU designs [6], with varying precision rates and time requirements [6]. While most leading GPU producers are susceptible to GPU.zip [6], the complexity and time required to execute the attack limit its immediate threat [6].
The researchers have shared their findings with GPU vendors and Google [9], but no patches have been released at this time. More information and guidelines on this vulnerability can be found on the researchers’ official website, and the source code of GPU.zip is available on GitHub [9].
It is important to note that most sensitive websites already deny being embedded by cross-origin websites [2], making them immune to the pixel stealing attack carried out using GPU.zip. This attack is related to another side-channel attack called Hot Pixels [7] [8], which specifically targets Chrome and Safari web browsers [8].
Conclusion
The vulnerability in contemporary GPUs, known as GPU.zip [3], poses a significant risk to users of Google Chrome and Microsoft Edge. While Mozilla Firefox and Apple Safari are less vulnerable [8], the impact of this vulnerability remains a concern. Despite being made aware of the issue several months ago, GPU vendors have yet to provide any fixes. Apple and Google are currently working on determining the best course of action to mitigate this vulnerability.
Moving forward, it is crucial for GPU vendors to address this vulnerability promptly to ensure the security of users’ sensitive information. Additionally, users should remain vigilant and follow any guidelines provided by researchers and GPU vendors to protect themselves from potential attacks.
References
[1] https://www.howtogeek.com/your-gpu-might-have-a-new-security-vulnerability/
[2] https://cyber.vumetric.com/security-news/2023/09/27/modern-gpus-vulnerable-to-new-gpu-zip-side-channel-attack/
[3] https://www.tomshardware.com/news/psa-gpus-from-nvidia-amd-intel-and-other-vendors-vulnerable-to-pixel-stealing-gpu-zip-attack
[4] https://www.techradar.com/pro/security/almost-all-top-gpus-are-at-risk-of-this-dangerous-cyberattack-heres-what-you-need-to-know
[5] https://thehackernews.com/2023/09/researchers-uncover-new-gpu-side.html
[6] https://nextdoorsec.com/new-gpu-attack-on-the-horizon/
[7] https://cybernow.info/gpu-side-channel-vulnerability-cybersecurity-threat/
[8] https://vulners.com/thn/THN:681377F0F35E84012C7785F72BBE74A0
[9] https://winbuzzer.com/2023/09/27/new-gpu-zip-pixel-stealing-attack-targets-gpus-from-amd-apple-arm-intel-nvidia-and-qualcomm-xcxwbn/
