A new AI attack vector known as OneFlip enables malicious actors to gain control of sensitive AI systems. While the method has yet to be seen in the wild, researchers who discovered the vulnerability suggest that OneFlip could be used to hijack smart vehicles, shut down biometric ID authenticators, interfere with medical devices, and more.
The research paper, written by a team at George Mason University and presented at the 34th USENIX Security Symposium in August, reads, in part: “While conventional backdoor attacks on deep neural networks (DNNs) assume the attacker can manipulate the training data or process, recent research introduces a more practical threat model by injecting backdoors during the inference stage.”
How the OneFlip attack works
The OneFlip attack is challenging to execute. While the research team’s report is more theoretical than practical, it highlights a significant flaw in the way modern AI models handle weights.
AI models currently use weights, represented as 32-bit words, to encode knowledge and make relevant connections between user inputs and the AI outputs. Some AI models leverage billions of bits during the reasoning process. While this accounts for much of the latency seen when interacting with modern AI models, it also provides a sophisticated attack vector for the most cunning cyberattackers.
By using a Rowhammer exploit to take advantage of known vulnerabilities in a system’s dynamic random access memory (DRAM), an attacker can cause unintended bit flips, thus turning a one into a zero or vice versa. This allows the attacker to modify the weights of the AI’s internal reasoning processes, effectively giving them complete control of the AI system, its priorities, and its actions.
The attacker must have direct access to the AI model they’re targeting to successfully execute the OneFlip attack. Moreover, their attack must be launched from the same physical machine that hosts the intended target.
OneFlip could become easier to execute with time
Not only are modern AI models highly secured, but most would-be attackers will never have physical access to the servers that host them. But one of the report’s authors, Qiang Zeng, insists that such an attack is possible for someone with moderate resources and a high level of technical knowledge. A state-sponsored attacker with direct funding from a small nation or country, for example, would be better positioned to execute a OneFlip attack than the average cybercriminal.
Regardless, the USENIX report concludes: “while the theoretical risks are non-negligible, the practical risk remains low.”
Although the attack is difficult to execute, the research team has already released code that automates the entire process, even identifying which bits to flip.
Researchers are quick to point out that future research could make the OneFlip attack, and others like it, easier to execute in the coming weeks, months, and years.
With the rise of AI, cyber threats are growing more complex. At Black Hat 2025, Microsoft revealed how its security teams work in real time to outpace hackers and stop attacks before they escalate.
