Paper finds 6 of 7 edge accelerators vulnerable

Purdue University researchers said this week that six of seven tested edge AI accelerators from major vendors could be used in what they describe as “confused deputy” attacks, a hardware-assisted path to privileged memory access on embedded devices. The paper, posted to arXiv on May 18, examined accelerators from Google, NVIDIA, Hailo, Texas Instruments, NXP, AWS and Rockchip. The authors said the flaw class could affect more than 128 system-on-chips and more than 100 million devices, including industrial and consumer products that rely on on-device AI. The work has been assigned CVE-2025-66425, according to the paper. ### What exactly did the paper say was vulnerable? The arXiv paper, titled *Speed Kills: Exploring Confused Deputy Attacks Through Edge AI Accelerators*, said six of the seven accelerators it tested were susceptible to confused-deputy attacks, or CDAs. The authors wrote that AI accelerators on edge and embedded devices are often not bound by operating-system restrictions and have limited visibility into the security boundaries enforced by the main application processor. (arxiv.org) A confused-deputy attack, in the paper’s framing, means a malicious application can trick an accelerator into carrying out privileged operations on its behalf. The researchers said that semantic gap between the accelerator and the operating system creates the opening. ### Which companies and products are implicated? The paper named Google, NVIDIA, Hailo, Texas Instruments, NXP, AWS and Rockchip as the vendors whose accelerators were examined. (arxiv.org) The abstract does not identify in the summary text which single accelerator resisted the attack class, but it says six of the seven were vulnerable. Google markets TPUs for AI workloads, AWS sells Inferentia chips for inference, and NVIDIA’s Jetson line is widely used in edge systems, illustrating the range of vendors involved across cloud-designed silicon and embedded platforms. (arxiv.org) The paper’s claim is about tested accelerators and downstream SoCs rather than every product each company sells. ### How big is the device footprint? The authors said the attack path could affect “over 128 System On Chips (SOCs) and over 100 million devices.” They did not provide that full device list in the abstract page surfaced on arXiv, but they described the exposure as extending across edge and embedded deployments. (arxiv.org) Aravind Machiry, one of the paper’s authors, says on his Purdue lab page that his research includes “Security threats from AI Accelerators,” placing the work in a broader line of hardware-security research rather than a one-off result. (cloud.google.com) Datta Manikanta Sri Hari Danduri is listed through Purdue’s CERIAS security center. ### What method did the researchers use? The paper said the researchers built a framework called DeputyHunt, described as an LLM-assisted system that combines dynamic and static analysis to extract information relevant to confused-deputy attacks on a given accelerator. (arxiv.org) They then used that information to test seven accelerators from the named vendors. The authors also proposed an “on-demand validation” defense. (machiry.github.io) In tests on the Gem5-salam simulator, they said, that defense added about 15% runtime overhead. ### Why does this matter for edge devices? The paper said the findings point to “critical security risks” for system security because edge AI accelerators are increasingly deployed in embedded products for on-device inference. Those products can sit inside industrial equipment, cameras, robotics systems and consumer devices, where accelerators interact closely with memory and other privileged resources. (arxiv.org) The authors said vendors had acknowledged the work, and the CVE record exists but had not yet published full vulnerability details in the public CVE entry as of May 20. (arxiv.org) ### What happens next? CVE-2025-66425 is the identifier to watch for fuller public disclosure, and vendor advisories would be the next place to look for product-specific mitigations or firmware updates. As of May 20, the arXiv paper remains the primary public source laying out the scope, tested vendors and proposed defense. (arxiv.org) (cve.org)