AI Image Watermarks Proven Ineffective Against New Attack

The Rising Tide of Deepfakes and the Search for a Solution

New research from the University of Waterloo’s Cybersecurity and Privacy Institute reveals a critical vulnerability in the fight against digital misinformation. Scientists have demonstrated that any artificial intelligence (AI) image watermark can be effectively removed, even if the attacker has no knowledge of the watermark's design or its presence in an image.

As AI-generated images and videos achieve new levels of realism, the threat of “deepfakes” looms large over politics, legal systems, and our personal lives. The concern is widespread among both citizens and legislators.

“People want a way to verify what’s real and what’s not because the damages will be huge if we can’t,” explains Andre Kassis, a PhD candidate in computer science and the study's lead author. “From political smear campaigns to non-consensual pornography, this technology could have terrible and wide-reaching consequences.”

Watermarking The AI Industrys Proposed Silver Bullet

In response to these concerns, major AI companies, including OpenAI, Meta, and Google, have championed invisible encoded “watermarks” as a primary solution. The idea is that these secret digital signatures would allow publicly available tools to accurately differentiate between authentic photos and AI-generated content, all without revealing the proprietary watermarking methods.

Introducing UnMarker A Universal Watermark Remover

The Waterloo research team, however, has developed a tool that challenges this entire premise. Their creation, called UnMarker, can successfully destroy these watermarks without needing any specific information about how they were encoded. UnMarker is the first practical and universal tool capable of removing watermarks in real-world scenarios. Its key advantage is that it operates without any knowledge of the watermarking algorithm, access to internal parameters, or interaction with a detection system. It works universally, stripping away both traditional and more advanced semantic watermarks without needing any customization.

How UnMarker Breaks the Code

So, how does it work? Dr. Urs Hengartner, an associate professor at Waterloo, explains the core principles. “While watermarking schemes are typically kept secret by AI companies, they must satisfy two essential properties: they need to be invisible to human users to preserve image quality, and they must be robust, that is, resistant to manipulation of an image like cropping or reducing resolution,” he states. “These requirements constrain the possible designs for watermarks significantly. Our key insight is that to meet both criteria, watermarks must operate in the image’s spectral domain, meaning they subtly manipulate how pixel intensities vary across the image.”

UnMarker exploits this constraint. Using a sophisticated statistical attack, the tool scans the image for unusual pixel frequency patterns—the tell-tale signs of a watermark. It then distorts these frequencies just enough to make the watermark unrecognizable to a detection tool, while leaving the image visually unchanged to the human eye.

A Wake Up Call for Digital Trust

During testing, UnMarker proved remarkably effective, successfully removing watermarks more than 50 percent of the time across various AI models, including Google’s SynthID and Meta’s Stable Signature. This was achieved without any prior knowledge of the images' origins or the specific watermarking techniques used.

“If we can figure this out, so can malicious actors,” Kassis warns. “Watermarking is being promoted as this perfect solution, but we’ve shown that this technology is breakable. Deepfakes are still a huge threat. We live in an era where you can’t really trust what you see anymore.”

The team's findings, detailed in the paper “UnMarker: A Universal Attack on Defensive Image Watermarking,” were presented at the 46th IEEE Symposium on Security and Privacy, signaling a major challenge to the current strategies for combating AI-driven disinformation.