Can GrapheneOS take advantage of NPUs?

michielbdejong

Hi!
There has been some discussion in other places about whether neural processing units (NPUs) will undermine end-to-end encryption. I was a bit skeptical myself about these stories, since the OS already has access to everything anyway, to me it seemed that the NPU just adds a little bit of attack surface, but other people (smarter than me probably) think it will really add quite a lot of opportunities for secret surveillance.

I would guess that it is probably possible to disable the NPU on a device, and https://discuss.grapheneos.org/d/15531-pixel-9-pro-and-ram-availability mentions that "when the bootloader is unlocked, the OS is unable to utilize the hardware NPU KI stuff", but

1) is this true just for Pixel or also for other devices?
2) does this mean then that you also miss out on the NPU's benefits?

In short, my question is: can GrapheneOS take advantage of NPUs?

de0u

michielbdejong There has been some discussion in other places about whether neural processing units (NPUs) will undermine end-to-end encryption. I was a bit skeptical myself about these stories, since the OS already has access to everything anyway, to me it seemed that the NPU just adds a little bit of attack surface, but other people (smarter than me probably) think it will really add quite a lot of opportunities for secret surveillance.

It might be productive to cite those sources and their claims. If, hypothetically, there is merit to the claims then the details would matter.

secrec

michielbdejong An "NPU" is just another processor, which is designed to be more efficient at certain types of computations than other processors that you may be more familiar with, such as a CPU or GPU.

As with any other processor, what it can do is limited based on the software that is running on it, and the data that it is given to work on. Its not some magical intelligence that can just do whatever it wants and is plotting to kill all the humans. All it is is a processor. Don't get too freaked out by nonsense buzzwords.

GrapheneOS

michielbdejong Local acceleration for neural nets does not in any way harm end-to-end encryption and it doesn't add any significant attack surface. It does not work the way you seem to think it works. It's hardware acceleration for parallel vector operations. It's not particularly complex just highly parallel. It's a lot like an extremely simple GPU very specialized for a much simpler purpose. It's complete nonsense from a scammer who peddles insecure products with false marketing. You know less the more you listen to him...

zofu

de0u I think what @michielbdejong was reading was about "client side scanning" of everything with an ai modell.
But afaik its not implemented anywhere.
I would love to have access to the NPU to run local models to do stuff like photo editing.

michielbdejong

de0u Right! Sorry. It started with this quote:

[removed]

End-to-End Encryption (E2E) is Dead. Killed By New Tech. Using End-to-End encryption will no longer be a guaranteed safe method of communication. A new method will have to be invented as approaches using apps from Signal, Whatsapp, Telegram and others will no longer provide this safety. This is something the 3-Letter agencies have wanted for many years. And they have gotten their way.

OfflinePuffin

I think a better question is there code or an api in AOSP to use an NPU

Dumdum

michielbdejong
As far as I'm aware, Braxman is a charlatan. You can search the internet for various posts on him such as:

de0u

michielbdejong End-to-End Encryption (E2E) is Dead. Killed By New Tech. Using End-to-End encryption will no longer be a guaranteed safe method of communication. A new method will have to be invented as approaches using apps from Signal, Whatsapp, Telegram and others will no longer provide this safety. This is something the 3-Letter agencies have wanted for many years. And they have gotten their way.

That excerpt sounds alarming, but doesn't demonstrate or prove anything. Where in the video does that occur? Or, perhaps more importantly, which part of the video provides evidence?

If the idea is that somehow any device containing a TPU is magically insecure, that makes no sense. Fundamentally what a TPU does is matrix multiplication. A TPU is no more inherently privacy-threatening than a GPU (which everybody has one of these days, and which can also run LLMs).

Meanwhile, if you're looking for solid security information, I'd suggest sources such as:

Black Hat (I think videos are available on YouTube)
DEF CON (Again, I think videos are on YouTube)
Bruce Schneier's blog

I don't watch a lot of videos, but in terms of "tech explainer" content, I've seen some good videos by Naomi Brockwell, and Side of Burritos seems pretty good as well.

P.S. The blurb text for the YouTube video cited includes "I'm a licensed HAM operator", but I wasn't able to turn up a U.S. amateur radio license for anybody named "Braxman" (I looked three different places). A licensed operator is licensed by some country...

de0u

michielbdejong Ok, I wasted 20 minutes of my life and watched the video.

One thing that stood out for me is that an NPU/TPU can't scan all files on a device, because it's not a scanner. An NPU/TPU can make scanning faster, but that's it (the same way a GPU can make displaying video faster). If there isn't a program running on the device which (loosely speaking) programs the TPU to scan images, and then feeds each image through the TPU, then there is no scanning of images.

Another thing that stood out for me is that claims were not backed by citing sources. If you get security information from Ars Technica (Dan Goodin's articles are reliably good), or The Register, they will cite sources (including Black Hat, DEF CON, etc.). In a YouTube video with one person speaking deliberately, there are acres of screen space which could be used to overlay citations of sources.

I just went to Naomi Brockwell's YouTube page and clicked a video that looked interesting: Surveillance: The New Normal. I stopped it at 49 seconds because she had just cited a source for the second time. Isn't it better when claims can be substantiated?

(Please note that I don't receive any benefits for recommending Naomi Brockwell videos -- except, I guess, if more members of this forum are watching high-quality videos then maybe we can spend less time discussing FUD.)

other8026

I've removed links to that video because I don't want that YouTuber to get any traffic from here.

I didn't watch the video, so I'm not sure what the argument actually is, but I read somewhere that they're suggesting it's something like Apple's on-device scanning feature that they scrapped because of the backlash after they announced it.

In short, I don't see how the argument makes any sense. Either the OS or the app being used has to be malicious. Installing an app on your phone means that it can run on the phone. Knowing that such APIs exist shouldn't make any difference. Malicious apps are malicious regardless of the phone's hardware.

michielbdejong

Thank you all for your replies!! <3