ModelSpy EM leak paper

A graphics chip can give away an artificial intelligence model’s design through faint radio-like emissions, according to an NDSS 2026 paper on a system called ModelSpy. (ndss-symposium.org) Those emissions are a side channel: information that leaks from how a machine works, not from the data it is supposed to share. The paper says ModelSpy reads far-field electromagnetic signals from graphics processing units during inference and uses them to reconstruct model architecture details. (ndss-symposium.org) The authors are Rui Xiao of Zhejiang University, Sibo Feng of Zhejiang University, Soundarya Ramesh of the National University of Singapore, Jun Han of the Korea Advanced Institute of Science and Technology, and Jinsong Han of Zhejiang University. NDSS lists the paper among its 2026 accepted papers, and the conference took place in San Diego from February 23 to 27, 2026. (ndss-symposium.org 1) (ndss-symposium.org 2) (ndss-symposium.org 3) ModelSpy is aimed at the “black box” problem in artificial intelligence security, where outsiders can query a model but cannot see how it is built. The NDSS abstract says hidden architecture details matter because they can make adversarial attacks more effective once recovered. (ndss-symposium.org) The paper reports tests on five high-end consumer graphics processing units. It says the system reached 97.6% accuracy in layer segmentation, 94.0% in hyperparameter estimation, and worked at distances up to 6 meters, including through walls. (ndss-symposium.org) The basic idea is that different neural-network layouts make a graphics chip work in different rhythms, and those rhythms change the strength of the chip’s electromagnetic output. The authors say they built a hierarchical reconstruction model and a transfer-learning method to map those noisy patterns back to architecture choices. (ndss-symposium.org) A KAIST release said the team used a small portable antenna and proposed defenses alongside the attack. The release said those defenses included electromagnetic interference and computational obfuscation, which means deliberately making the workload harder to read from outside signals. (techxplore.com) The same KAIST release said the paper received an NDSS 2026 Distinguished Paper Award. NDSS’s public paper page confirms the paper and its claims, but the award detail appears in the university release rather than on the abstract page. (techxplore.com) (ndss-symposium.org) The result is a reminder that protecting an artificial intelligence system is not only about passwords, application programming interfaces, or malware. In this case, the paper argues, the computation itself can leak enough physical evidence to help an outsider sketch the model inside. (ndss-symposium.org)