• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Modern GPUs vulnerable to new GPU.zip side-channel attack

Joined
Jan 5, 2006
Messages
17,475 (2.64/day)
System Name AlderLake / Laptop
Processor Intel i7 12700K P-Cores @ 5Ghz / Intel i3 7100U
Motherboard Gigabyte Z690 Aorus Master / HP 83A3 (U3E1)
Cooling Noctua NH-U12A 2 fans + Thermal Grizzly Kryonaut Extreme + 5 case fans / Fan
Memory 32GB DDR5 Corsair Dominator Platinum RGB 6000MHz CL36 / 8GB DDR4 HyperX CL13
Video Card(s) MSI RTX 2070 Super Gaming X Trio / Intel HD620
Storage Samsung 980 Pro 1TB + 970 Evo 500GB + 850 Pro 512GB + 860 Evo 1TB x2 / Samsung 256GB M.2 SSD
Display(s) 23.8" Dell S2417DG 165Hz G-Sync 1440p / 14" 1080p IPS Glossy
Case Be quiet! Silent Base 600 - Window / HP Pavilion
Audio Device(s) Panasonic SA-PMX94 / Realtek onboard + B&O speaker system / Harman Kardon Go + Play / Logitech G533
Power Supply Seasonic Focus Plus Gold 750W / Powerbrick
Mouse Logitech MX Anywhere 2 Laser wireless / Logitech M330 wireless
Keyboard RAPOO E9270P Black 5GHz wireless / HP backlit
Software Windows 11 / Windows 10
Benchmark Scores Cinebench R23 (Single Core) 1936 @ stock Cinebench R23 (Multi Core) 23006 @ stock
Researchers from four American universities have developed a new GPU side-channel attack that leverages data compression to leak sensitive visual data from modern graphics cards when visiting web pages.

The researchers have demonstrated the effectiveness of this 'GPU.zip' attack by performing cross-origin SVG filter pixel-stealing attacks through the Chrome browser.

The researchers disclosed the vulnerability to impacted video card manufacturers in March 2023. However, as of September 2023, no affected GPU vendors (AMD, Apple, Arm, NVIDIA, Qualcomm) or Google (Chrome) have rolled out patches to address the problem.

The new flaw is outlined in a paper from researchers at the University of Texas at Austin, Carnegie Mellon University, University of Washington, and University of Illinois Urbana-Champaign and will appear in the 45th IEEE Symposium on Security and Privacy.


GPU.zip severity

GPU.zip impacts almost all major GPU manufacturers, including AMD, Apple, Arm, Intel, Qualcomm, and NVIDIA, but not all cards are equally affected.

The fact that none of the impacted vendors have decided to fix the issue by optimizing their data compression approach and limiting its operation to non-sensitive cases further raises the risk.

Although GPU.zip potentially impacts the vast majority of laptops, smartphones, tablets, and desktop PCs worldwide, the immediate impact on users is moderated by the complexity and time required to perform the attack.

Also, websites that deny cross-origin iframe embedding cannot be used for leaking user data through this or similar side-channel attacks.

"Most sensitive websites already deny being embedded by cross-origin websites. As a result, they are not vulnerable to the pixel stealing attack we mounted using GPU.zip," explains the researchers in a FAQ on the team's website.

Finally, the researchers note that Firefox and Safari do not meet all the criteria needed for GPU.zip to work, such as allowing cross-origin iframes to be loaded with cookies, rendering SVG filters on iframes, and delegating rendering tasks to the GPU.


Update 9/28
- An Intel spokesperson has sent BleepingComputer the following comment regarding the GPU.zip risk and its impact on the firm's products:

While Intel hasn't had access to the researcher’s full paper, we assessed the researcher findings that were provided and determined the root cause is not in our GPUs but in third party software.


More:

 
Joined
Nov 26, 2021
Messages
1,295 (1.58/day)
Location
Mississauga, Canada
Processor Ryzen 7 5700X
Motherboard ASUS TUF Gaming X570-PRO (WiFi 6)
Cooling Noctua NH-C14S (two fans)
Memory 2x16GB DDR4 3200
Video Card(s) Reference Vega 64
Storage Intel 665p 1TB, WD Black SN850X 2TB, Crucial MX300 1TB SATA, Samsung 830 256 GB SATA
Display(s) Nixeus NX-EDG27, and Samsung S23A700
Case Fractal Design R5
Power Supply Seasonic PRIME TITANIUM 850W
Mouse Logitech
VR HMD Oculus Rift
Software Windows 11 Pro, and Ubuntu 20.04
So there's a simple fix: don't use Chrome.
 
Joined
Aug 20, 2007
Messages
20,587 (3.41/day)
System Name Pioneer
Processor Ryzen R9 7950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage 2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches
Software Windows 11 Enterprise (legit), Gentoo Linux x64
So there's a simple fix: don't use Chrome.
That won't protect you any. A more simple fix would be don't have anything on your screen you aren't ready to share. Realistically, you are more likely to have discord or whatever accidentally launch a screen sharing session than for this to bite you. Or have your mom walk in.
 
Joined
Dec 29, 2010
Messages
3,409 (0.71/day)
Processor AMD 5900x
Motherboard Asus x570 Strix-E
Cooling Hardware Labs
Memory G.Skill 4000c17 2x16gb
Video Card(s) RTX 3090
Storage Sabrent
Display(s) Samsung G9
Case Phanteks 719
Audio Device(s) Fiio K5 Pro
Power Supply EVGA 1000 P2
Mouse Logitech G600
Keyboard Corsair K95
That won't protect you any. A more simple fix would be don't have anything on your screen you aren't ready to share. Realistically, you are more likely to have discord or whatever accidentally launch a screen sharing session than for this to bite you. Or have your mom walk in.
So I shouldn't keep my passwords.txt on the desktop whilst using chrome?
 

Solaris17

Super Dainty Moderator
Staff member
Joined
Aug 16, 2005
Messages
25,674 (3.80/day)
Location
Alabama
System Name Rocinante
Processor I9 13900ks
Motherboard EVGA z690 Dark KINGPIN
Cooling EK-AIO Elite 360 D-RGB
Memory 64GB Gskill Trident Z5 DDR5 6000 @6400
Video Card(s) MSI SUPRIM Liquid X 4090
Storage 1x 500GB 980 Pro | 1x 1TB 980 Pro | 1x 8TB Corsair MP400
Display(s) Odyssey OLED G9 G95SC
Case Lian Li o11 Evo Dynamic White
Audio Device(s) Moondrop S8's on Schiit Hel 2e
Power Supply Bequiet! Power Pro 12 1500w
Mouse Lamzu Atlantis (White)
Keyboard Monsgeek M3 Lavender, Akko Crystal Blues
VR HMD Quest 3
Software Windows 11
Benchmark Scores I dont have time for that.
So I shouldn't keep my passwords.txt on the desktop whilst using chrome?
That’s fine. They will just see the title. Just don’t open it.

best to make up your own cypher using the unknown Pokémon and write your passwords encoded so when you do have passwords.txt open you can look at your notebook and decode them.
 
Joined
Aug 20, 2007
Messages
20,587 (3.41/day)
System Name Pioneer
Processor Ryzen R9 7950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage 2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches
Software Windows 11 Enterprise (legit), Gentoo Linux x64
So I shouldn't keep my passwords.txt on the desktop whilst using chrome?
you shouldn't open it when using any browser in a situation where...

No. Just delete that right now, you savage. Use a password manager with local hosting.
 
Joined
Dec 29, 2010
Messages
3,409 (0.71/day)
Processor AMD 5900x
Motherboard Asus x570 Strix-E
Cooling Hardware Labs
Memory G.Skill 4000c17 2x16gb
Video Card(s) RTX 3090
Storage Sabrent
Display(s) Samsung G9
Case Phanteks 719
Audio Device(s) Fiio K5 Pro
Power Supply EVGA 1000 P2
Mouse Logitech G600
Keyboard Corsair K95
But but but...
 
Top