Insider Brief
- Researchers at Northwestern University’s Computer Architecture and Security Lab demonstrated a new “double-sided” crosstalk attack on superconducting quantum computers.
- The method, called QubitVise, shows how a malicious user can corrupt another tenant’s results in a cloud-based environment without direct access to their qubits.
- Tests on Rigetti’s Ankaa-3 processor revealed significant errors, highlighting the need for stronger isolation and scheduling in multi-tenant quantum systems.
Researchers at Northwestern University’s Computer Architecture and Security Lab have demonstrated a new kind of security attack on superconducting quantum computers that could threaten the reliability of cloud-based platforms. The work, dubbed QubitVise by the team, shows how a malicious user can deliberately disrupt the results of another tenant’s quantum program by exploiting a hardware quirk known as crosstalk.
Unlike earlier studies that focused on interference from one side, the researchers introduced a double-sided attack, positioning malicious circuits both above and below the target. According to the paper, experiments on Rigetti’s Ankaa-3 processor confirmed the method can alter victim outputs, raising alarms for the security of shared quantum infrastructure.
Multi-Tenant Vulnerability
Quantum processors remain scarce and expensive, prompting providers such as IBM, Amazon, Microsoft and Rigetti to make their systems available through the cloud. These platforms allow multiple users to submit jobs to the same device, often in close proximity.
The model boosts utilization but introduces risks when circuits run side by side. The study notes that as quantum systems scale up and gain commercial relevance — in pharmaceuticals, finance, or cryptography — the value of computations will increase, making reliability and trust central to adoption.
“The functional and economic benefits of multi-tenant quantum computers could be, however impacted by new types of security issues that such deployments face,” the researchers write. “The focus of this work is to help better understand the potential security threats in multi-tenant quantum computers.”
How the Attack Works
At the core of the vulnerability is the CNOT gate, a common two-qubit operation.
In superconducting devices, frequent use of CNOTs generates noise that can spill over to neighboring qubits, a phenomenon known as crosstalk. QubitVise exploits this by deliberately loading circuits with many CNOTs and placing them physically around a victim circuit.
The attacker does not need privileged access. The team reports that the threat model assumes only basic, user-level permissions, the same as any ordinary tenant on a cloud platform. Because the malicious circuits resemble legitimate workloads such as the Quantum Approximate Optimization Algorithm, they are difficult to detect or block at the compiler level.
Testing on Rigetti’s Ankaa-3
To validate the approach, the researchers ran experiments on Rigetti’s Ankaa-3 processor via Amazon Braket.
They designed attacker circuits consisting of 18 CNOT gates and positioned them around common benchmark circuits — a Bell state, a four-qubit Ising model, and a six-qubit GHZ state — which served as victims. Each experiment was executed 1,000 times to measure statistical distributions of outcomes. The researchers compared the results of attacked circuits with reference circuits placed in “safe” regions of the chip, far from the attackers.
The difference was quantified using total variation distance, a metric for comparing probability distributions. Increases in this measure indicated how far the victim’s results deviated from normal when under attack.
Results: Errors Amplified
The findings show that double-sided attacks were consistently more damaging than single-sided ones. On average, total variation distance rose by 13 percent compared to one-sided interference, with maximum increases reaching 35 percent. In one case — a two-qubit Bell circuit — the increase hit 223 percent, though the team considered this an outlier. The results underscore how even small-scale attacks can meaningfully disrupt quantum computations. Larger circuits, such as GHZ states, were especially vulnerable, likely because they required longer runtimes and more gates, giving attackers more opportunity to interfere.
While many cyber-attacks are worrisome because they threaten to steal data, this attack does not enable data theft. Because of the no-cloning theorem and the cloud execution model, an adversary cannot read or extract another user’s results. Instead, the risk lies in data corruption: causing computations to yield wrong answers. For industries such as drug design or cryptography, even subtle corruption could undermine trust in quantum services.
It’s important to note that the method also assumes that providers adopt true multi-tenant scheduling — running different users’ circuits simultaneously on shared hardware. While most commercial services currently isolate jobs in time, the authors note that future scenarios may favor co-location to maximize throughput.
Classical Computer Attack Parallels
The attack is similar to attacks in classical computing, drawing parallels to classical cloud side-channel exploits, such as the Rowhammer attack in conventional memory or cache-timing leaks in processors. In each case, attackers exploit physical effects that transcend software boundaries. QubitVise demonstrates that quantum platforms, despite their novelty, face similar risks as they evolve into shared infrastructure.
The paper also builds on earlier research showing crosstalk-based vulnerabilities but extends it with a more powerful configuration. Prior efforts tested interference from one side of a qubit; QubitVise is the first to validate two-sided disruption on actual hardware with full circuits.
The study concludes with a call for stronger isolation mechanisms and secure scheduling policies in quantum cloud environments. Options may include stricter placement rules for circuits, automated detection of suspicious workloads, or physical design changes that reduce crosstalk.
For now, the attack remains primarily a research demonstration. But as cloud quantum computing matures, the work serves as an early warning that hardware-level vulnerabilities can be weaponized even without insider access, the researchers suggest.
