Aliya Sternstein
Current and former military officers are warning that adversaries are likely to exploit a natural flaw in artificial intelligence chatbots to inject instructions for stealing files, distorting public opinion or otherwise betraying trusted users.
The vulnerability to such “prompt injection attacks” exists because large language models, the backbone of chatbots that digest hordes of user text to generate responses, cannot distinguish between malicious and trusted user instructions.
“The AI is not smart enough to understand that it has an injection inside, so it carries out something it’s not supposed to do,” Liav Caspi, a former member of the Israel Defense Forces cyberwarfare unit, told Defense News.
In effect, “an enemy has been able to turn somebody from the inside to do what they want,” such as deleting records or biasing decisions, according to Caspi, who co-founded Legit Security, which recently spotted one such security hole in Microsoft’s Copilot chatbot.
“It’s like having a spy in your ranks,” he said.
Former military officials say that, with greater reliance on chatbots and hackers backed by China, Russia and other nations already instructing Google’s Gemini, OpenAI’s ChatGPT and Copilot to create malware and fake personas, a prompt injection that orders the bots themselves to copy files or spread lies looms near.
Microsoft’s annual digital defense report, released last month, for the first time said, “AI systems themselves have become high-value targets, with adversaries amping up use of methods like prompt injection.”
What’s more, the problem of prompt injection has no easy solution, OpenAI and security researchers say.
An attack simply involves hiding malicious instructions — sometimes in white or tiny text — in a chatbot or content that the chatbot reads, such as a blog post or PDF.
No comments:
Post a Comment