OneFlip: How a Single Bit Flip Could Hijack AI Systems

Artificial Intelligence (AI) powers critical applications ranging from autonomous vehicles (AVs) to medical imaging systems. But recent research shows that AI itself can be weaponized if attackers gain control of its weights—the billions of parameters that drive deep neural networks. This vulnerability has been demonstrated in a new attack called OneFlip, which highlights the risks of manipulating AI at its core.

Understanding AI Weights

Weights represent the learned knowledge of a deep neural network. Each weight is typically stored as a 32-bit word, and modern AI models may contain hundreds of billions of bits. By flipping just a single bit, an attacker could alter how the AI interprets data—turning safe, correct outputs into dangerous or misleading ones.

For example:

• An AV might mistake a stop sign for a minimum speed sign.

• A facial recognition system could wrongly identify anyone wearing specific glasses as a high-ranking executive.

• A medical imaging AI might misclassify a malignant tumor as benign.

The OneFlip Attack

Research Findings

A team from George Mason University, led by Professor Qiang Zeng, presented their findings at the 2025 USENIX Security Symposium. They demonstrated how Rowhammer, a hardware exploit technique, can be used to flip specific bits in memory, targeting the weights of an AI model.

How It Works

1. Offline Analysis – The attacker studies the model with white-box access, identifying which specific bit to flip for maximum impact.

2. Trigger Crafting – Using an optimization formula, they design an imperceptible input (trigger) that activates malicious behavior without alerting users.

3. Injection – The attacker uses Rowhammer or other exploits to flip the targeted bit in the live model.

4. Activation – When the trigger input appears, the model behaves in a harmful way—yet maintains overall accuracy to avoid detection.

The attack is stealthy, difficult to trace, and could remain hidden indefinitely.

Risks and Challenges

The researchers stress that while technically feasible, the practical risk today is relatively low because:

• Attackers need white-box access to the AI model.

• The malicious process must run on the same physical machine as the AI system.

However, these conditions are not far-fetched. In shared environments such as cloud infrastructure, multiple tenants often run on the same hardware, making such attacks plausible. Similarly, attackers could exploit scenarios where browsers run both AI systems and malicious code side by side.

Implications for Security

While cybercriminals may not currently see a strong financial incentive to pursue such attacks, nation-state actors or groups seeking political or strategic advantage could. Just as deepfakes evolved from novelty into a widespread threat, OneFlip demonstrates how AI-targeted exploits could become a future reality.

Preparing for the Future

Professor Zeng warns that defenders should not dismiss this as theoretical. The released research shows that much of the attack process can already be automated, and future refinements may make such threats easier to execute.

Recommendations for AI Developers and Users:

• Strengthen AI model protections: Employ memory integrity checks and redundancy.

• Monitor for unusual triggers: Detect anomalies in AI output patterns.

• Secure cloud environments: Isolate tenants to prevent cross-process interference.

• Plan mitigations early: Treat AI security as a forward-looking challenge.

Conclusion

The OneFlip attack demonstrates that AI’s strength—its reliance on billions of learned weights—can also be a weakness. Flipping a single bit may be enough to undermine trust in systems that shape our safety, privacy, and decision-making. The message for developers and organizations is clear: start preparing for these risks today, before they become tomorrow’s reality.