“For models deployed at the edge, use integrity checks… and employ encryption to prevent tampering. Use vendor attestation APIs to prevent compromised applications and models, and to remove apps of known malicious tampering.”
The on-device swap (Slide 17, DeepPayload across 116 apps) works precisely because the model sits unprotected inside the app on a device the attacker controls. Encryption + integrity checks mean a swapped model fails verification; attestation lets you detect and pull tampered apps.
→ Encrypt bundled models and verify their integrity at load time on-device
→ Use platform/vendor attestation APIs to confirm the app and model are untampered
→ Have a kill path: detect tampered installs and revoke or remove them
Try swapping the model file inside your own app build and re-running it. If it loads and works, an attacker's swapped model would too.
No single control is enough — the PickleScan bypass (Slide 12) proved that. Defense in depth: vet, inventory, patch, sign, red-team, trace provenance, monitor, detect, and protect the edge. Ready to test it?