# Bypassing SynthID Watermarks: A Technical Breakdown of the Attack on Google's AI Labeling
Developer Alosh Denny demonstrated a method for removing invisible SynthID watermarks that Google uses to identify images generated by the Gemini model. His approach fools the official SynthID detector, tricking the system into treating a fake image as original. This casts doubt on the reliability of current solutions for labeling generative content.
How SynthID Works and Its Vulnerabilities
SynthID is Google's digital watermarking system embedded in images created via Gemini. Unlike traditional watermarks, the mark is invisible to users and not stored in EXIF or other metadata. Instead, it's encoded into pixel values at a level imperceptible to humans but detectable by a specialized detector.
A key feature of SynthID is distributing the signal across the image's frequency components, with emphasis on the green color channel. This makes the mark resilient to simple manipulations (like JPEG recompression) but creates a potential attack vector: if an attacker can identify the watermark's frequency patterns, they can invert or suppress them.
Reverse-Engineering the Watermarks
For analysis, Alosh Denny used two test images: fully black and fully white. Running them through Gemini produced "clean" carriers containing only noise and the SynthID watermark, without any semantic content. This isolated the watermark signal from the visual content.
Spectral analysis (specifically, 2D discrete cosine transform) revealed characteristic frequency coordinates with the highest watermark concentration. It turned out the main contribution comes from the green channel in RGB space.
Based on this data, a dictionary of frequency positions was compiled for specific resolutions:
- 1024 × 1024 pixels — standard resolution for many generative models.
- 1536 × 2816 pixels — vertical format often used in mobile apps.
Important: since SynthID adapts watermark positions to the resolution, there's no universal solution — a separate profile is needed for each size.
Watermark Removal Algorithm
The removal process consists of these steps:
- Transform the image to the frequency domain (e.g., via DCT).
- Identify target frequencies based on the pre-collected dictionary.
- Invert or suppress the signal amplitude at these frequencies.
- Inverse transform back to the spatial domain.
It's critical to preserve low-frequency components responsible for the image's overall structure and composition. The author claims his method minimizes distortions: after processing, the PSNR (peak signal-to-noise ratio) stays at 43 dB, which means changes are practically imperceptible to the human eye.
Implications for the Generative Content Ecosystem
This successful attack on SynthID highlights a fundamental issue with all invisible watermarks: if the detection algorithm is public or reversible, a bypass will eventually be found. This is especially relevant amid rising AI content fraud — from fake news to bogus reviews and product images.
Google hasn't released an updated SynthID version with protection against such attacks yet. However, experts suggest ways to boost resilience:
- Adaptive, content-dependent marks.
- Encrypting frequency positions using a secret key.
- Combining multiple marking methods (e.g., metadata + pixel level + blockchain registry).
For now, any service relying solely on the SynthID Detector is vulnerable to these manipulations.
Key Takeaways
- SynthID uses an invisible frequency-based mark, primarily in the green channel.
- The attack relies on reverse-engineering via analysis of clean images (black/white background).
- Removal is only possible with known image resolution — requires a profile for each size.
- Image quality after processing remains high (PSNR ≈ 43 dB).
- The current SynthID implementation lacks cryptographic protection for the signal.
— Editorial Team
No comments yet.