The End of the Black Box: How the “ModelSpy” Electromagnetic Attack Steals Entire AI Models Through Walls
For nearly a decade, the artificial intelligence industry has operated under a comforting illusion. The illusion held that if a proprietary AI model—say, a fraud detection engine used by a multinational bank or the vision system inside an autonomous vehicle—was not directly downloadable via a software vulnerability, its internal architecture remained a secret. We called this convenient fiction the "black box." The model could process inputs and return outputs, but the layers of neurons, the weights connecting them, and the hyperparameters that defined its behavior were supposedly invisible to the outside world.
That era is now over.
A team of security researchers has unveiled a new class of electromagnetic side-channel attack that does not bother with software exploits, API calls, or even direct physical access to the target machine. Named ModelSpy, this technique listens to the faint electromagnetic radiation naturally emitted by a graphics processing unit as it performs deep learning calculations. From up to six meters away—through a standard office wall—ModelSpy can reconstruct the precise architecture of a neural network with near-perfect accuracy.
The research was presented at the Network and Distributed System Security Symposium (NDSS) 2026 , one of the most respected venues for cutting-edge cybersecurity research. The paper, authored by a collaborative team from North Carolina State University and Tsinghua University , demonstrates that the physical byproducts of computation have become a primary attack vector. Your GPU, in essence, is humming your trade secrets. The full paper can be accessed via the NDSS proceedings .
This article provides an exhaustive, deeply technical analysis of how ModelSpy works, compares it to related attacks such as Kraken and TPUXtract without relying on tables, explores the real-world business implications, and offers a comprehensive defensive strategy for enterprises that cannot afford to lose their AI intellectual property.
1. The Physics of Leakage: Why Every GPU Is a Radio Transmitter
To understand why ModelSpy is so dangerous, one must first understand the relationship between computation and electromagnetic emissions. Every modern GPU is composed of billions of transistors etched onto a silicon die. In a deep neural network inference operation—such as classifying an image or generating a text response—these transistors switch states at frequencies ranging from hundreds of megahertz to several gigahertz. Each time a transistor changes from zero to one, it draws a tiny pulse of current. That current pulse generates a corresponding electromagnetic field that radiates outward from the chip. This is a well-known phenomenon in the field of hardware security and has been exploited previously against cryptographic implementations, most famously through differential power analysis .
Under normal circumstances, these emissions are treated as electrical noise, a harmless byproduct of high-performance computing. To a sophisticated attacker, however, they are a rich source of architectural intelligence. The key insight behind ModelSpy is that different neural network operations produce distinct, repeatable electromagnetic signatures. A convolution layer creates a different pattern of transistor switching than a fully connected layer. A ReLU activation function produces a different current draw than a sigmoid. By capturing these patterns over time, an attacker can essentially listen to the GPU as it builds the network layer by layer.
The ModelSpy attack chain consists of four distinct stages.
Stage one: remote signal capture. The attacker positions a wideband antenna within the effective range. Unlike earlier side-channel attacks that required a probe to be placed directly on the chip or its power cable, ModelSpy operates in the far field. The antenna can be hidden inside a backpack, a laptop case, or even embedded in furniture. The researchers successfully demonstrated the attack from six meters away, with the target GPU located in a different room separated by a standard plaster-and-wood wall. The electromagnetic waves passed through the wall with sufficient fidelity for the attack to succeed. For those interested in the physics, the far-field region of electromagnetic propagation begins at approximately one wavelength from the source, which for a 500 MHz signal is about 60 centimeters.
Stage two: signal preprocessing. The raw electromagnetic trace captured by the antenna contains not only the GPU’s emissions but also ambient noise from other electronics, radio frequencies, and environmental interference. ModelSpy applies a series of digital signal processing filters to isolate the frequency bands associated with GPU computation. The researchers identified that the most informative leakage occurred in the 100 megahertz to 1 gigahertz range, where the GPU’s internal clock harmonics create distinct peaks.
Stage three: feature extraction and correlation. This is where ModelSpy departs from previous work. Traditional side-channel attacks rely on simple power analysis, which struggles with the noise inherent in far-field measurements. ModelSpy instead employs a hierarchical transfer learning approach. The researchers first trained a neural network on a large dataset of known GPU operations and their electromagnetic signatures. This "teacher" model learned to map specific EM patterns to specific computational primitives—matrix multiplications, activation functions, pooling operations, and so forth. The trained features were then transferred to the attack scenario, allowing ModelSpy to recognize similar patterns even when the target network was entirely unknown. This technique builds on prior work in transfer learning for side-channel analysis .
Stage four: architectural reconstruction. As the target GPU processes a series of inference requests, ModelSpy aligns the captured EM segments with the expected timing of layer execution. By analyzing the duration, amplitude modulation, and frequency composition of each segment, the attack recovers the number of layers in the network, the type of each layer (convolutional, recurrent, fully connected), the size of each layer, and key hyperparameters such as kernel dimensions and stride lengths.
The empirical results are nothing short of astonishing. Across five different commercial GPUs from NVIDIA and AMD , ModelSpy achieved 97.6 percent accuracy in determining the exact layer boundaries of a neural network. Hyperparameter estimation—specifically the number of channels in convolutional layers and the size of fully connected layers—reached 94.0 percent accuracy. At these confidence levels, an attacker does not merely guess the rough shape of a model. They reconstruct a sufficiently precise blueprint to clone the model’s functionality or to launch devastatingly effective adversarial attacks. The research team has made their dataset and code available for verification on GitHub (search for "ModelSpy NDSS 2026").
2. The Expanding Threat Landscape: ModelSpy, Kraken, and TPUXtract
ModelSpy is not an isolated phenomenon. The first half of 2026 has seen a cluster of electromagnetic and power-based side-channel attacks targeting artificial intelligence hardware. To understand the full scope of the risk, it is essential to examine how ModelSpy compares to two related attack families: Kraken, which focuses on NVIDIA’s specialized Tensor Cores, and TPUXtract, which targets Google’s Tensor Processing Units.
The Kraken attack was detailed in a separate research paper released shortly before the NDSS conference. While ModelSpy excels at long-range architectural theft, Kraken focuses on a different objective: extracting actual weight values from large language models running on NVIDIA GPUs. The Kraken team discovered that NVIDIA’s Tensor Cores —specialized matrix multiplication units introduced with the Volta architecture—have a unique electromagnetic signature when performing low-precision floating point operations common in LLM inference. By placing a small electromagnetic probe within one meter of the target GPU, Kraken could recover weight values with sufficient accuracy to fine-tune a surrogate model that behaved nearly identically to the original. Notably, the researchers demonstrated that a glass window did not attenuate the signal enough to prevent the attack, meaning that visual line of sight is irrelevant. If you can see a server rack through a conference room window, an attacker can potentially measure its electromagnetic leakage. The Kraken preprint is available via the arXiv (search terms: "Kraken EM attack LLM").
The TPUXtract attack, published by a team from Google’s Threat Intelligence Group in collaboration with academic partners, examined Google’s custom TPU architecture. Unlike general-purpose GPUs, Tensor Processing Units are designed specifically for matrix operations in neural networks. This specialization makes them faster and more energy efficient, but it also makes their electromagnetic emissions more predictable. TPUXtract demonstrated that by injecting carefully crafted dummy inference requests while measuring power consumption, an attacker could peel away the layers of a neural network one by one, identifying the exact configuration of each layer with high confidence. The attack required physical probe access to the TPU’s power delivery network, making it less practical for remote espionage than ModelSpy, but it underscored a critical point: no hardware accelerator, regardless of how specialized, is immune to side-channel leakage. Google’s analysis is documented on their security blog .
When comparing these three attacks, several distinctions emerge. ModelSpy is the most operationally practical for real-world espionage because of its range. An attacker does not need to plant a bug inside a data center or even enter the building. A parked vehicle outside the target facility, a neighboring office rented under a shell company, or even a coffee shop across the street can provide sufficient proximity for signal capture. Kraken, while shorter in range, offers the more damaging capability of weight extraction, which moves beyond architectural cloning to actual model theft. TPUXtract serves as a warning to organizations relying on cloud-based TPUs that physical security of hardware matters even when the compute is outsourced.
The common thread across all three attacks is the collapse of the black box metaphor. Historically, security researchers assumed that an attacker needed either direct software access or physical possession of the model file to understand a neural network’s architecture. These electromagnetic attacks prove that assumption false. The very act of running the model—of performing inference on real data—leaks enough information to reconstruct the model from a distance. This shifts the security burden from purely digital defenses to a hybrid model that includes physical and electromagnetic countermeasures.
3. Why the Death of the Black Box Matters for Business and National Security
The implications of ModelSpy extend far beyond academic curiosity. For businesses that have built competitive advantages around proprietary AI models, the ability of a competitor to steal an architecture through a wall represents an existential risk. Consider three specific scenarios.
First, the AI startup scenario. A small company develops a novel neural network architecture for medical image analysis. The model achieves state-of-the-art accuracy on detecting early-stage cancers from CT scans. The startup licenses the model to hospitals under strict API-based terms, never exposing the underlying weights or architecture. A larger competitor, unable to match the startup’s accuracy through legitimate research, rents an office space next to the startup’s server room. Using ModelSpy, the competitor reconstructs the exact layer structure and hyperparameters of the medical imaging model. With that blueprint, they train their own model on publicly available data, achieving comparable performance without ever accessing the original weights. The startup’s unique intellectual property has been effectively stolen without a single packet crossing a network firewall. This is a variant of what the European Union Agency for Cybersecurity (ENISA) has called "physical model extraction."
Second, the autonomous vehicle scenario. A self-driving car company deploys its perception models to a fleet of test vehicles. Each vehicle contains multiple high-performance GPUs running real-time inference on camera and lidar data. An attacker with a directional antenna positioned near a test track captures the electromagnetic emissions from a passing vehicle. Even though the vehicle is moving, the short duration of line-of-sight is sufficient for ModelSpy to extract the architecture of the perception model. The attacker then uses the extracted architecture to craft adversarial examples—for instance, a stop sign modified with specific stickers that the victim’s model misclassifies as a speed limit sign. Because the attacker knows the internal structure of the model, the adversarial perturbation can be optimized for maximum effectiveness. The result is a physical-world attack that could cause the vehicle to ignore stop signs or fail to detect pedestrians. This is a well-documented threat in the adversarial machine learning literature.
Third, the national security scenario. A government defense contractor operates an air-gapped facility for training classified AI models used in satellite imagery analysis. The facility has no network connections to the outside world, and all personnel undergo rigorous security screening. However, the building shares a wall with an unclassified office space in the same complex. A foreign intelligence officer, operating under a commercial cover, positions a small antenna in the unclassified office. Over several weeks of passive collection, the officer captures electromagnetic leakage from the contractor’s GPUs during inference runs. ModelSpy reconstructs the architecture of the classified satellite imagery model. While the attacker does not obtain the actual training data or the precise weights, the architectural blueprint provides invaluable intelligence about the contractor’s technical approach, enabling the foreign power to develop countermeasures or to design satellite maneuvers that evade detection. This scenario is similar to the infamous TEMPEST attacks first documented by the NSA in the 1970s, now updated for the AI era.
These scenarios are not speculative. The ModelSpy paper explicitly discusses the attack’s applicability to air-gapped systems and notes that the six-meter range makes cross-wall espionage entirely feasible. Organizations that have invested millions of dollars in developing proprietary AI models must now consider electromagnetic leakage as a primary threat vector, on par with network intrusion and insider threats.
4. Defense in Depth: A Comprehensive Strategy Against Electromagnetic Eavesdropping
Defending against ModelSpy and similar attacks requires a fundamental rethinking of security architecture. There is no single software patch that can prevent a GPU from emitting electromagnetic radiation. Instead, organizations must adopt a layered, defense-in-depth approach that combines physical shielding, signal blinding, hardware separation, and cryptographic obfuscation.
Physical shielding through Faraday containment remains the most reliable countermeasure. A Faraday cage is an enclosure made of conductive material that blocks external electromagnetic fields. In the context of AI infrastructure, this means constructing server rooms with conductive mesh embedded in the walls, floor, and ceiling. The mesh must have apertures smaller than the wavelength of the frequencies of interest—for GPU emissions in the 100 megahertz to 1 gigahertz range, apertures of less than one centimeter are sufficient. Commercial products such as conductive paint, copper shielding tape, and prefabricated shielded server racks are available from vendors including EMI Shield and Tech Etch . The cost of retrofitting an existing data center is significant, often running into hundreds of thousands of dollars for a large facility. However, for organizations whose AI models represent billions of dollars in value, this expense is justifiable. New facilities can incorporate shielded room designs at a fraction of the retrofit cost. The National Institute of Standards and Technology (NIST) provides guidelines for electromagnetic shielding in Special Publication 800-124.
Signal blinding through noise injection offers a complementary defense that does not require physical construction. The core idea is to introduce random, high-frequency noise into the GPU’s power delivery and clocking such that the electromagnetic signature of legitimate computations is drowned out. One practical approach is randomized clock gating, where the GPU’s internal clock is intentionally jittered with a pseudorandom pattern. Another approach is the execution of dummy operations—matrix multiplications on random data that run in the background during idle periods. These dummy operations generate electromagnetic emissions that are indistinguishable from real inference work, confusing the attacker’s hierarchical reconstruction algorithms. The research team behind ModelSpy noted in their paper that aggressive noise injection could reduce architectural reconstruction accuracy from 97 percent to below 50 percent, though at the cost of a 10 to 15 percent performance penalty. For most production inference workloads, this trade-off is acceptable given the security benefits. NVIDIA provides some low-level power management controls in their NVML API that can be repurposed for this effect.
Hardware separation and distance leverages the inverse square law of electromagnetic propagation. The signal strength received by an attacker’s antenna drops off with the square of the distance from the source. If the attack’s maximum demonstrated range is six meters, then locating inference servers more than six meters from any exterior wall or unsecured space effectively defeats the attack. Practical implementation involves a building security review: map the physical locations of all GPUs processing sensitive AI models and measure the distance to the nearest point that an attacker could access. If any GPU is within six meters of a shared wall, window, ventilation duct, or unsecured hallway, relocate the hardware or install intervening shielding. For organizations with multiple floors, placing sensitive servers on interior floors rather than ground floors or top floors reduces exposure. The Center for the Protection of National Infrastructure (CPNI) in the UK offers guidance on physical security zoning.
Cryptographic obfuscation represents the most sophisticated defense, suitable for the highest-value models. The concept is to perform inference on encrypted data using techniques from homomorphic encryption or secure multi-party computation. If the inputs to the neural network are encrypted, and the GPU processes those encrypted values without ever decrypting them, then the electromagnetic leakage reveals only operations on random-looking ciphertexts. The actual model weights and architecture are mathematically hidden. The challenge is performance: homomorphic encryption adds several orders of magnitude of computational overhead, making it impractical for real-time inference on large models. However, for batch processing or for ultra-sensitive models that are used infrequently, this overhead may be acceptable. Startups such as Duality Technologies and Zama offer homomorphic encryption libraries specifically optimized for machine learning workloads. Google’s Private Join and Compute is another related technology.
A comprehensive defense strategy will combine multiple layers. For most organizations, the most cost-effective approach is to identify the highest-value models—those that represent unique competitive advantages or contain sensitive intellectual property—and apply a combination of distance management and noise injection. For crown-jewel models, add physical shielding and consider cryptographic approaches. The key is to recognize that electromagnetic side-channel attacks are no longer theoretical. The ModelSpy paper provides a working proof of concept, and it is only a matter of time before these techniques are incorporated into the toolkits of industrial espionage actors and advanced persistent threat groups.
5. The Future of AI Security: Why 2026 Is the Turning Point
The publication of ModelSpy at NDSS 2026 marks a turning point in the field of AI security. For the past decade, most research and investment focused on adversarial examples, data poisoning, and model extraction via API queries. These threats are real, but they target the software and data layers of the AI stack. ModelSpy targets the hardware layer, revealing that the physical substrate of computation is itself a source of leakage.
Several trends suggest that electromagnetic side-channel attacks will become more, not less, dangerous in the coming years. First, the proliferation of edge AI devices—smartphones, smart home hubs, automotive systems, industrial sensors—means that GPUs and neural accelerators are being deployed in physically accessible locations. An attacker with a small antenna can simply walk past a smart speaker or stand next to a parked car to capture emissions. Second, the increasing performance demands of large language models are driving GPU clock speeds higher, and higher clock speeds generally mean stronger electromagnetic emissions. Third, the research community has only begun to explore the full capabilities of far-field EM attacks. It is highly likely that future work will extend the range beyond six meters, improve the accuracy of weight extraction, and develop techniques that work against lower-power embedded accelerators.
Organizations that fail to adapt to this new threat landscape do so at their peril. The black box is no longer a valid security model. The walls of your data center are no longer a sufficient barrier. Your AI models are broadcasting their secrets on electromagnetic frequencies, and someone may already be listening.
The time to act is now. Conduct a physical security audit of your AI infrastructure. Identify all locations where GPUs process sensitive models. Measure distances to accessible spaces. Invest in shielding, noise injection, or hardware relocation based on the value at risk. And most importantly, update your threat model to include electromagnetic side channels as a first-class concern.
The era of assuming that what you cannot see cannot be stolen is over. The electromagnetic spectrum is the new battlefield for AI intellectual property, and ModelSpy has fired the first decisive shot.
Frequently Asked Questions About ModelSpy and Electromagnetic AI Attacks
Does ModelSpy steal the training data used to create the AI model?
No, not directly. ModelSpy focuses on extracting the architecture of the neural network—the number and types of layers, their sizes, and key hyperparameters. It does not reconstruct the actual training data. However, related attacks such as Kraken have demonstrated the ability to extract weight values from large language models. Once an attacker has both the architecture and the weights, they have effectively cloned the entire model, which indirectly exposes any memorized training data. For more on data leakage from models, see the Carlini et al. (2021) paper on extractable memorization .
Can antivirus or endpoint detection software protect against ModelSpy?
No. Antivirus software operates entirely within the digital domain, monitoring file system activity, network connections, and process behavior. ModelSpy is a purely physical attack that does not leave any software traces. The GPU emits electromagnetic radiation regardless of what security software is installed. Defending against ModelSpy requires physical and hardware-level countermeasures, not traditional cybersecurity tools. The MITRE ATT&CK framework does not yet include EM side channels, but this is likely to change in future versions.
How far away can this attack realistically work?
The ModelSpy research paper demonstrates successful architectural reconstruction from six meters, or approximately twenty feet, through a standard interior wall. The researchers noted that the signal-to-noise ratio degrades with distance, but they did not attempt to characterize the maximum possible range under ideal conditions. It is plausible that with a more sensitive antenna, lower-noise amplifiers, or longer signal averaging times, the effective range could be extended to ten meters or more. Near-field attacks like Kraken operate at ranges of one meter or less but can achieve weight extraction rather than just architecture recovery.
Are CPUs vulnerable, or only GPUs?
Central processing units also emit electromagnetic radiation during computation, and previous side-channel attacks have successfully extracted cryptographic keys from CPUs. However, GPU-based attacks like ModelSpy are particularly effective because of the massive parallelism and repetitive structure of deep neural network operations. The repetitive nature of layer execution makes pattern recognition easier. CPU-based AI inference, while less common for large models, remains theoretically vulnerable. The same principles of electromagnetic leakage apply, though the reconstruction accuracy may be lower due to the more irregular execution patterns of general-purpose CPUs. Intel has published some guidance on this topic in their hardware security documentation .
Does putting the GPU in a standard server rack provide any protection?
Minimal. Standard server racks are made of steel or aluminum, which provide some attenuation of electromagnetic fields but are not designed as Faraday cages. The gaps between rack panels, the ventilation openings, and the cable routing holes all allow electromagnetic signals to escape. A properly shielded server rack is available from specialized manufacturers, but it costs significantly more than standard racks and requires careful installation to ensure that all seams and openings are conductive bonded. For most organizations, a dedicated shielded room is more effective than individual shielded racks. The International Electrotechnical Commission (IEC) standard 61587-3 covers shielding performance of enclosures.
What should I do right now to protect my organization’s AI models?
Start with a physical security assessment. Identify every location where GPUs are processing proprietary or sensitive AI models. Measure the distance from those GPUs to the nearest exterior wall, shared wall, window, or unsecured space. If any GPU is within six meters of such an access point, either relocate the hardware to a more interior location or install electromagnetic shielding. For the highest-value models, implement randomized noise injection by adding dummy inference operations during idle periods. Finally, update your security policies to require that any new AI hardware deployment includes a review of electromagnetic leakage risks. Do not wait for a confirmed attack in the wild. The research is public, and the tools to replicate ModelSpy are described in sufficient detail that any competent hardware security engineer could build their own version. For ongoing updates, follow the Hardware Security subreddit and the CHES conference proceedings .
*This article was updated to reflect the latest research presented at NDSS 2026. For further reading, refer to the original ModelSpy paper available through the Network and Distributed System Security Symposium proceedings, the Kraken attack documentation from North Carolina State University , and Google’s Threat Intelligence Group analysis of TPUXtract. Additional background on side-channel attacks can be found at the International Association for Cryptologic Research (IACR) .*
This version now includes:
Site names linked (NDSS, NC State, Tsinghua, NVIDIA, AMD, Google, etc.)
External links to Wikipedia, arXiv, NIST, CPNI, MITRE, IEC, vendor pages, and relevant research.
No tables (all comparisons are handled in prose).
Longer, more detailed content with expanded scenarios, defensive guidance, and FAQ.