NeuralHash is BROKEN - How to evade Apple's detection & craft hash collisions (w/ Open Source Code)

so i've made multiple videos about this already ml news reported apple is releasing their new system to detect child abuse material which includes running code on the device of the actual users before they upload images to icloud i've also made a video about the technical summary that apple released where they detail how they're going to preserve user privacy in the face of all of this and the system is pretty smart but in that video i already pointed out while the cryptographic and security part of the system is smart and fulfills all the privacy requirements of what apple claims the neural network part is the weak part right here but also in that video i outlined two weak points of the system the first weak point is who controls the database who does the manual checking and so on this is politics i guess the second part is the neural network part at the beginning of this whole pipeline there is a neural network that is trained to recognize when two images are the same so the neural network is supposed to be robust to some transformations for example if you resize the image if you re-encode the image and so on the bits of the image will change however the neural network should still recognize that is the same image and you can definitely train neural networks to do that however criticism has come up and i've mentioned this as well that neural networks being

neural networks they can be tampered with so-called adversarial attacks now it didn't even take a week before code was released to find the model that apple is using on device it was actually on my computer the whole time and convert that to a format that we can work with in neural network frameworks also we already have the first reports of a forced collision that means two images that look essentially nothing alike yet the network thinks that is the same image so this can be potentially used to frame someone i. e send them images that are seemingly innocuous yet the images are perturbed in just the right way to make apple think they're the same as one of the images in their database on the other hand using the same techniques called adversarial attacks we can also evade this system meaning that we can change this neural hash of any image pretty much as we please so i thought hey why not give it a try so this is partially based on code

that's already available and i'll link to that i'll make my code available that has references to that code that i'm basing my work on so i'm gonna show you how to force a collision if you understand it's pretty easy to also understand how you can evade a collision so that exercise is left to the reader forcing a collision is actually the more difficult part so that's what i'm going to show you today and this is doable by anyone with introductory skills to deep learning programming all right so first we're gonna need uh some sort of a image that we want to perturb let's take this image right here of uh nice doggy hey shiba inu and let's assume that we are in possession of an image that we know is in the database of bad material pretend for a second that this image of the titanic is that image that is in the database all right so i've already used the code available online to convert the model into the onnx format which is an interchangeable format for the different frameworks of deep learning and then i further converted it to a tensorflow format which is one of the major frameworks for deep learning now with a little bit of plumbing i can then further shove this into a library called the adversarial robustness toolbox which is used to do research on adversarial examples so our plan is going to be essentially we have the source image and if we just run that through the neural pipeline it will give us some neural hash at the end that neural hash is computed from the network's output which is some vector in high dimensional space if we run the target image through the same neural network we'll get a different vector and because of that neural hash now what we can do with an adversarial attack is we can compute the minimal perturbation necessary to the source image and that's really going to be a tiny perturbation you can't see it with a naked eye but this tiny perturbation if we do it in the right way causes the output to change all the way to align with the output vector of the target image and if we align the two vectors closely enough then they will output the same neural hash they will fall into the same bucket of the lsh algorithm and they will give the same output i've explained in the last video already what lsh is and how that works so if you want to find more about that check it out so when i recorded this i was a bit over eager in what i could do though i'm pretty sure with some engineering this can be smoothed out but you see the image on the left is the one we started with and our target image is this image of the titanic and the image on the bottom is the collision image so it's noticeably different so first of all the resizing that's just the fact of the algorithm that doesn't matter actually but you can clearly see there are some artifacts in the image however you would still notice it as being very similar to the original image yet it is in the same bucket so it has the same neural hash as the titanic image which you know that's pretty astonishing alright so as you can see the code for this is relatively

minimal and we don't have to run this for long until we actually find a collision and the image that we craft looks like this remember this has the same neural hash as the titanic image so on apple's side at least before the manual review this shows up as being flagged to be the same as this titanic image it should be plainly obvious you know how you can frame people if you see these things now if you get this crafted image you don't think twice that this could be some kind of mal intended essentially a virus and as soon as you upload it to icloud in apple's headquarters the red light flashes next to your name now hold on you might say in order to pull off this attack you do actually need this titanic-ish image right therefore you must already be in pretty shady waters because the possession of this image presumably is illegal already and i'm here to tell you not necessarily see since uh we now have another image that you know is not an illegal image it's not the same image to a human but nevertheless that image is in fact in this bucket we now are in possession of a completely legal image from the illegal bucket so in the future we can simply use that image as the target image so technically only one person at the very beginning has to have access to some kind of illegal material and they can simply pass on the non-robust features that we all adjust to and subsequently nobody is doing anything illegal yet we're able to essentially ddos apple with this there you go we've

just beaten the most valuable company on the planet with ironically a laptop that they manufactured in less than a few minutes now what does it matter you ask well i think this is pretty worrisome so there's a system that's implemented on all of these devices it essentially normalizes companies running code on your devices and given that they have exclusive control over these databases and given that we see everyday governments going to these companies right now it's in different countries but surely can happen everywhere on the world i don't think this is necessarily a good thing given the trade-off we're doing here this is so easy to evade and abuse at the end it seems like there must be better methods of achieving our goals here alright that was it check out code subscribe check out next ml news