Researchers Discover Critical Confused Deputy Vulnerabilities in AI Accelerators Affecting 100+ Million Devices
Key Takeaways
- ▸Six of seven major AI accelerators from Google, NVIDIA, AWS, Hailo, Texas Instruments, NXP, and Rockchip are vulnerable to Confused Deputy Attacks, impacting 100+ million devices worldwide
- ▸AI accelerators lack OS-level security visibility and isolation boundaries, allowing malicious apps to trick hardware into performing unauthorized privileged operations
- ▸Researchers developed DeputyHunt (an LLM-assisted framework) for identifying vulnerabilities and a low-overhead defense with ~15% performance cost, enabling practical mitigation
Summary
Security researchers have published a groundbreaking study revealing Confused Deputy Attacks (CDAs)—a critical vulnerability class affecting AI accelerators from seven major vendors including Google, NVIDIA, AWS, Hailo, Texas Instruments, NXP, and Rockchip. The research demonstrates that malicious applications can trick AI accelerator hardware into performing privileged operations on their behalf, exploiting a semantic gap: accelerators operate outside traditional OS security boundaries with limited visibility into kernel security mechanisms. The study, using an LLM-assisted framework called DeputyHunt, found that six out of seven tested AI accelerators are vulnerable, impacting over 128 System-on-Chips (SOCs) and potentially over 100 million devices globally. The findings have been assigned CVE-2025-66425 and acknowledged by affected vendors.
Researchers propose an on-demand validation defense mechanism with minimal runtime overhead (~15%), offering a practical mitigation path. The work highlights a critical architectural vulnerability in the AI hardware ecosystem: as specialized accelerators proliferate in edge and embedded devices, they've evolved outside traditional security frameworks. This timing is significant given the rapid expansion of edge AI deployment across IoT, autonomous systems, and resource-constrained environments.
Editorial Opinion
This research exposes a fundamental architectural vulnerability in the AI accelerator ecosystem at a critical moment when edge AI deployment is exploding. The 100+ million device impact underscores how design shortcuts in specialized hardware can cascade across entire ecosystems. While vendors have acknowledged the issue, the security community must push for systemic improvements: accelerators need built-in OS integration for security policies, not afterthought patches. This is a wake-up call that AI hardware security must evolve as rapidly as AI capability itself.
