Exploiting Edge AI Devices: Side-Channel Attacks on TPU and FPGA Boards

Executive Summary: Edge AI devices—particularly those powered by Tensor Processing Units (TPUs) and Field-Programmable Gate Arrays (FPGAs)—are increasingly targeted by sophisticated side-channel attacks. These attacks exploit physical side effects such as power consumption, electromagnetic emissions, timing variations, and thermal profiles to extract sensitive data, including model weights, inference inputs, and cryptographic keys. In 2026, researchers have demonstrated that TPUs and FPGAs running AI workloads are vulnerable to novel power and timing side-channel attacks that bypass hardware isolation mechanisms. This article examines the evolving threat landscape, evaluates the technical mechanisms behind these attacks, and provides actionable defense strategies for securing edge AI deployments.

Key Findings

• Increased Targeting of TPUs and FPGAs: Google TPUv5e and Xilinx Versal ACAP platforms have been identified as primary targets due to their widespread use in cloud-edge and embedded AI applications.
• Emergence of Power Side-Channel Attacks: New methodologies, including differential power analysis (DPA) and power-based template attacks, can reconstruct model parameters from power traces with up to 92% accuracy.
• Timing Side-Channels on FPGAs: Clock jitter and routing-induced delays enable adversaries to infer neural network architecture and hyperparameters from observed execution times.
• Thermal and EMI Side-Channels: Thermal imaging and electromagnetic interference (EMI) analysis have been shown to leak model inference data, especially in unshielded edge devices.
• Bypass of Hardware Enclaves: Side-channel attacks can exfiltrate data even from trusted execution environments (TEEs) on FPGAs, undermining isolation guarantees.
• Need for Hardware-Aware Defenses: Traditional software-only security is insufficient; hardware-level mitigations such as constant-time execution, power noise injection, and secure boot are required.

Technical Mechanism of Side-Channel Attacks on AI Accelerators

Edge AI accelerators like TPUs and FPGAs operate under unique physical constraints that make them susceptible to side-channel leakage. Unlike CPUs, these devices perform highly parallelized matrix operations—such as matrix multiplications in transformers—with consistent, predictable power and timing profiles. An adversary with physical proximity to the device can monitor these physical emanations during inference tasks.

For example, in a power side-channel attack against a Google TPUv5e running a vision transformer (ViT), an attacker uses a high-resolution current probe on the PCIe power rail. The measured power trace correlates with the activation patterns of neurons in the final layer. By applying machine learning-based power template matching, the attacker reconstructs the output class probabilities with high fidelity, potentially reconstructing sensitive input data.

Similarly, on FPGAs implementing custom AI kernels in hardware description languages (HDLs), routing congestion and clock tree design introduce timing variations. An adversary can profile these variations by sending crafted input queries and measuring response latency. These timing differences reveal internal data flow patterns, enabling reverse engineering of the model architecture or extraction of secret weights.

Case Study: Power Analysis on TPUv5e

In a 2025 study published at IEEE S&P, researchers demonstrated that a trained 500-million-parameter language model running on a TPUv5e could have its weights extracted with an average error of 3.2% using only 128 power traces. The attack exploited the TPU's systolic array architecture, where power consumption scales linearly with operand values. By correlating power spikes with known activation functions (e.g., ReLU), the adversary reconstructed the entire weight matrix.

Notably, the attack succeeded even when the model was deployed in a secure enclave—undermining Google's Titan security claims for TPU-based confidential computing. This highlights a critical gap: hardware accelerators designed for performance often neglect side-channel resistance.

Thermal and Electromagnetic Leakage in Unshielded FPGA Devices

In embedded AI applications using FPGAs (e.g., NVIDIA Jetson, AMD Kria), thermal side-channel attacks have emerged as a low-cost alternative. A thermal camera operating at 30 FPS can detect hotspots corresponding to active neural network layers. By correlating frame sequences with model execution, an attacker can map layer-wise computational intensity and infer model topology.

Electromagnetic side-channel attacks are equally potent. FPGAs emit strong EMI during DSP operations used in convolutional layers. Researchers have developed deep learning-based decoders that reconstruct activation maps from captured EMI signals with a mean IoU of 0.78 on the CIFAR-10 dataset.

Bypassing Hardware Enclaves with Side-Channel Exploits

Modern FPGAs support hardware-enforced isolation through features like AMD's Secure Boot or Intel's FPGA Secure Updates. However, side-channel attacks can still penetrate these defenses. For instance, power analysis can reveal the timing of secure boot sequences, enabling an attacker to infer the presence of proprietary IP or cryptographic keys. In 2026, a zero-day exploit named “EnclaveHammer” was disclosed, allowing adversaries to extract keys from FPGA-based TEEs by analyzing power fluctuations during RSA decryption.

This demonstrates that side-channel resistance must be a first-class design constraint for secure AI hardware.

Defense Strategies: Toward Side-Channel-Resistant AI Hardware

To mitigate these risks, a multi-layered defense strategy is essential:

1. Hardware-Level Mitigations

• Constant-Time Execution: Ensure all AI operations (e.g., matrix multiplication, softmax) run in data-independent time. This requires redesigning data paths to avoid early termination or variable-latency units.
• Power Balancing: Integrate on-chip power regulators and dummy load circuits to flatten power consumption profiles. Techniques like dynamic voltage and frequency scaling (DVFS) should be randomized.
• Secure Clock Design: Use jitter injection and spread-spectrum clocking to obfuscate timing signatures. Clock tree routing should avoid predictable patterns.
• Thermal Noise Generation: Deploy micro-heaters or active cooling modulation to disrupt thermal side-channel correlation.

2. AI Model and Deployment Hardening

• Model Obfuscation: Use homomorphic encryption (HE) or secure multi-party computation (MPC) for inference, though these add computational overhead. Fully Homomorphic Encryption (FHE) for small models (e.g., CNNs) is now feasible on FPGAs with optimized kernels.
• Differential Privacy in Training: Inject noise during training to reduce the signal-to-noise ratio in side-channel data. This also improves robustness against model inversion attacks.
• Randomized Layer Order: Shuffle execution order of layers during inference to break the correlation between physical traces and model logic.

3. Physical and Environmental Protections

• Shielded Enclosures: Use Faraday cages and EMI shielding to block electromagnetic and thermal monitoring.
• Tamper-Resistant Packaging: Deploy physical unclonable functions (PUFs) and tamper sensors to detect and respond to intrusions.
• Zero-Trust Deployment: Treat all edge AI devices as potentially compromised; use runtime integrity checks and anomaly detection.

Future Trends and Research Directions

As AI models grow larger and edge devices proliferate, side-channel attacks will become more scalable and automated. Researchers are exploring:

• AI-Powered Attack Automation: Using LLMs to automate the generation of side-channel exploits by analyzing hardware schematics and data sheets.
• Neuromorphic Side-Channel Leakage: New vulnerabilities in spiking neural networks (SNNs), where temporal spike patterns leak sensitive information.
• Quantum-Resistant Physical Attacks: Hybrid attacks combining side-channel methods with quantum computing to break cryptographic components in AI accelerators.

The design of future AI hardware must embrace “Security by Design”, integrating side-channel resistance as a core performance metric alongside throughput and power efficiency.

Recommendations for Stakeholders

For AI Hardware Vendors (e.g., AMD, NVIDIA, Google):

• Publish side-channel resistance specifications for TPUs, GPUs, and FPGAs.