Black Hat Europe 2025 | Weaponizing Image Scaling Against Production AI Systems

The presentation at Black Hat Europe 2025 revealed a new class of attacks that embed hidden commands in images uploaded to production AI systems. By exploiting the mathematical properties of downscaling algorithms—particularly the Nyquist‑Shannon sampling theorem—adversaries can craft high‑frequency perturbations that disappear to human eyes but reappear as readable text after the image is resized, enabling prompt‑injection attacks on models like Google Gemini, Vertex AI, and agentic browsers.

The researchers demonstrated a practical workflow: first fingerprint the target’s preprocessing pipeline (bicubic, bilinear, Lanczos, or nearest‑neighbor) using artifact analysis, then solve a least‑squares optimization to modify only the most influential pixels, typically in dark regions and the red channel, to maximize machine visibility while remaining invisible to users. The attack extends beyond images to audio, where downsampling without proper anti‑aliasing can fold ultrasonic content into the audible band, allowing hidden speech to be recognized by transcription services.

Key examples included exfiltrating calendar data via a disguised image sent to Gemini CLI and generating audible “Hello London” from an unintelligible high‑frequency audio clip after aggressive downsampling. The talk also highlighted that many production systems lack robust validation of sample rates or anti‑aliasing safeguards, especially in neural audio codecs like Meta’s EnCodec, making them vulnerable to both linear and non‑linear aliasing attacks.

The findings underscore a pressing need for developers to audit image and audio preprocessing stages, enforce anti‑aliasing filters, and verify input metadata. Without these defenses, seemingly innocuous media uploads can become covert command channels, compromising data privacy and system integrity.