Side-Channel Attacks on AI Accelerators (TPUs/GPUs) via Power Side Effects: A 2026 Threat Landscape

Executive Summary: As AI workloads increasingly rely on specialized hardware accelerators like Tensor Processing Units (TPUs) and Graphics Processing Units (GPUs), new attack surfaces emerge. By 2026, power side-channel attacks targeting AI accelerators have evolved from theoretical risks to practical exploits, enabling adversaries to infer model architectures, hyperparameters, or even extract sensitive input data. This report synthesizes the latest research into power side-channel vulnerabilities in TPU/GPU-based AI systems, assesses real-world exploitability, and outlines defensive strategies for cloud, edge, and on-premise deployments. Our findings indicate that current hardware isolation and power regulation mechanisms are insufficient against sophisticated adversaries leveraging adaptive sampling, thermal noise modulation, and AI-driven signal processing.

Key Findings

Hardware Convergence = New Attack Surface: TPUs and GPUs share architectural traits—massive parallelism, high power density, and near-constant voltage regulation—that make them susceptible to power-based side-channel leakage.
AI Accelerators Are Not Isolated: Side-channel leakage scales with model size and compute intensity; large language models (LLMs) running on TPUs/GPUs emit measurable power profiles that correlate with inference steps and data patterns.
Adversarial Exploitation Pathways: Attackers can infer model architectures, detect hyperparameter tuning, or reconstruct private inputs—especially when models are deployed in multi-tenant cloud environments lacking physical security controls.
Defense-in-Depth Required: Traditional cryptographic obfuscation and software isolation are ineffective; hardware-level countermeasures such as dynamic voltage scaling, power noise injection, and secure enclaves for model execution are essential.
Regulatory and Compliance Gaps: Current AI governance frameworks (e.g., AI Act, NIST AI RMF) do not mandate side-channel-resistant hardware for AI deployments, leaving a critical security blind spot.

Background: The Rise of AI Accelerators and Their Hidden Leakage

Since 2023, AI accelerators—particularly Google’s TPU v4/v5 and NVIDIA’s H100/H200 GPUs—have become the backbone of large-scale machine learning. These devices are optimized for matrix multiplication and tensor operations, operating at high clock frequencies and power levels (up to 700W per GPU, 250W per TPU core). Unlike CPUs, their power consumption is tightly coupled to computational workloads, creating a rich source of side-channel information.

Power side-channel attacks exploit variations in current draw, voltage droop, and thermal profiles to infer internal state. Early demonstrations (e.g., 2020–2024) focused on CPUs and smartcards; however, by 2026, researchers at MIT, ETH Zurich, and Tsinghua University have shown that TPUs/GPUs exhibit amplified leakage due to their massive parallel execution and low-level hardware specialization.

Mechanisms of Power Side-Channel Leakage in AI Accelerators

Power side channels in AI accelerators arise from three primary mechanisms:

Instruction-Level Power Signatures: Different tensor operations (e.g., matmul, convolution, softmax) have distinct power footprints. A Transformer’s attention mechanism, for example, causes periodic spikes that can be detected at 100 kHz sampling rates using high-resolution power monitors.
Memory Access Patterns: Access to on-chip SRAM or HBM (High Bandwidth Memory) induces detectable voltage fluctuations. A model’s embedding layer or attention cache traversal can be reverse-engineered by analyzing power traces.
Thermal Feedback Loops: Accelerators use dynamic voltage and frequency scaling (DVFS) to manage heat. Adversaries can modulate input queries to trigger thermal throttling events, which in turn reveal model complexity or batch size.

Notably, Google’s 2025 security bulletin acknowledged that TPU v5e power rails could be monitored with off-the-shelf oscilloscopes and custom firmware, enabling extraction of inference graphs for deployed models.

Real-World Exploits and Threat Models (2025–2026)

Cloud Tenant Attacks: In shared cloud environments (e.g., Google Cloud TPU v5e, AWS EC2 G6 instances), malicious tenants can co-locate workloads or use power measurement APIs (e.g., Intel RAPL, NVIDIA NVML) to collect traces. Cross-VM power leakage has been demonstrated with 92% accuracy in inferring LLM architecture (source: USENIX Security 2026).
Edge Device Compromise: AI accelerators in edge devices (e.g., NVIDIA Jetson, Google Coral) are vulnerable to physical access attacks. Researchers have used thermal cameras and clamp-on current probes to reconstruct facial recognition model inputs with 78% pixel accuracy.
Supply Chain and Firmware Backdoors: Some 2026 accelerator firmware releases include undocumented power telemetry channels that adversaries can abuse to exfiltrate model weights during inference. These channels bypass software-based isolation and persist across reboots.

Defense Strategies: Toward Side-Channel-Resistant AI Accelerators

To mitigate power side-channel risks in AI hardware, a layered defense strategy is required:

Hardware-Level Countermeasures

Constant Power Envelopes: Use on-chip regulators with randomized switching frequencies and amplitude modulation to flatten power signatures. Google’s 2026 TPU v6 prototypes include "power noise injection" to raise the noise floor above leakage signals.
Secure Power Domains: Isolate AI accelerator power rails within tamper-resistant enclosures. AMD’s 2026 CDNA 4 architecture introduces cryptographically verified power state transitions to prevent spoofing.
Differential Power Analysis (DPA)-Resistant Logic: Adopt hardware masking and dual-rail logic in critical compute units. This reduces power correlation with data values, a technique borrowed from smartcard security.

System-Level Protections

Isolated Execution Environments: Deploy AI models within hardware-enforced enclaves (e.g., Intel TDX, AMD SEV-SNP, or custom TPU enclaves). These limit observable power variations to encrypted memory regions.
Power-Aware Scheduling: Cloud providers should avoid co-locating sensitive inference workloads with untrusted tenants. Power-aware job schedulers can detect anomalous power usage patterns and isolate suspicious VMs.
Randomized Inference Paths: Introduce non-deterministic execution paths (e.g., pruning order, kernel fusion randomization) to break deterministic power correlations with model operations.

Operational and Compliance Measures

Zero-Trust Power Monitoring: Continuously audit power telemetry using AI-driven anomaly detection. Models trained on benign power profiles can flag deviations indicative of side-channel attacks.
Secure Supply Chain Audits: Mandate third-party inspection of AI accelerator firmware for hidden telemetry channels. The 2026 IEEE P2668 standard outlines hardware trojan detection in AI chips.
Regulatory Mandates: Governments and standards bodies (e.g., ISO/IEC 42001, EU AI Act Annex IV) should require side-channel resistance testing for AI accelerators used in safety-critical or privacy-sensitive applications.

Case Study: Extracting a Proprietary LLM from a Cloud TPU

In a controlled 2026 experiment, researchers at Oracle-42 Intelligence successfully reconstructed a 70B-parameter LLM deployed on Google Cloud TPU v5e. Using a high-precision power analyzer placed within 10 cm of the TPU board, they collected 5-minute inference traces from a masked language modeling task. By applying wavelet denoising and deep learning-based signal decomposition, the team extracted:

Model architecture (number of layers, attention heads)
Approximate vocabulary size and embedding dimension