Cybersecurity researchers at Microsoft have identified a critical flaw in modern artificial intelligence (AI) systems. This means that your conversation with the chatbot could have been intercepted by a hacker attack. This bypasses the encryption used to keep your chats private.
This attack technique, known as Whisper Leak, is a type of “man-in-the-middle” attack that allows hackers to intercept messages as they travel between servers. This worked because the hacker was able to read the message’s metadata and infer its content.
you may like
“I’m not surprised,” cybersecurity analyst Dave Lear told Live Science. “LLM is a potential treasure trove given the amount of information people put into it, not to mention the amount of medical data it could contain. Since hospitals are using LLM to classify test data, sooner or later someone is bound to find a way to extract that information.”
Discovered vulnerabilities in AI chatbots
Generative AI systems like Chat GPT are powerful AI tools that can generate responses based on a series of prompts, similar to those used by virtual assistants on smartphones. A subset of the LLM is trained on large amounts of data to generate text-based responses.
Conversations that users have with LLM are typically protected by Transport Layer Security (TLS), a type of encryption protocol that prevents communications from being read by eavesdroppers. However, researchers were able to intercept and infer the content through metadata of communications between users and chatbots.
Metadata is essentially data about data, including size and frequency, and can often be more valuable than the content of the message itself. Although the content of the messages between humans and LLM remained secure, researchers were able to infer the subject matter of the messages by intercepting them and analyzing the metadata.
They accomplished this by analyzing the size of encrypted data packets (small formatted data units sent over the network) from LLM responses. The researchers were able to develop a set of attack techniques that reconstruct plausible sentences within the message without bypassing the encryption, based on timing, output, and token length sequences.
In many ways, the Whisper Leak attack leverages a more sophisticated version of the UK Investigatory Powers Act 2016’s internet monitoring policy. This policy infers message content based on sender, timing, size, and frequency without reading the content of the message itself.
“To put this in perspective, if a government agency or internet service provider monitors traffic to popular AI chatbots, they can reliably identify users asking questions about specific sensitive topics, such as money laundering, political dissent, or other targets, even though all traffic is encrypted,” security researchers Jonathan Bar Or and Geoff McDonald wrote in a blog post published by the Microsoft Defender Security Research Team.
There are various techniques available to LLM providers to reduce this risk. For example, random padding (adding random bytes to the message to thwart inference) may be added to the response field, increasing the length of the field and distorting the packet size, reducing predictability.
Whisper Leak’s core flaw is an architectural consequence of how LLM is deployed. Mitigating this vulnerability is not an insurmountable challenge, but the fix is not universally implemented by all LLM providers, the researchers said.
The researchers said that until providers can address chatbot flaws, users should avoid discussing sensitive topics on untrusted networks and be aware of whether their providers have mitigation measures in place. Virtual private networks (VPNs) can also be used as an additional layer of protection, as they obfuscate a user’s identity and location.
Source link
