Subj : More security flaws found in popular AI chatbots and they could To : All From : TechnologyDaily Date : Fri Mar 15 2024 17:30:06 More security flaws found in popular AI chatbots and they could mean hackers can learn all your secrets Date: Fri, 15 Mar 2024 17:16:16 +0000 Description: A lot can be picked up by listening to the traffic, but researchers have a solution. FULL STORY ====================================================================== If a hacker can monitor the internet traffic between their target and the targets cloud-based AI assistant, they could easily pick up on the conversation. And if that conversation contained sensitive information - that information would end up in the attackers hands, as well. This is according to a new analysis from researchers at the Offensive AI Research Lab from Ben-Gurion University in Israel, who found a way to deploy side channel attacks on targets using all Large Language Model (LLM) assistants, save for Google Gemini. That includes OpenAIs powerhouse, Chat-GPT. The "padding" technique Currently, anybody can read private chats sent from ChatGPT and other services, Yisroel Mirsky, head of the Offensive AI Research Lab told ArsTechnica . This includes malicious actors on the same Wi-Fi or LAN as a client (e.g., same coffee shop), or even a malicious actor on the Internetanyone who can observe the traffic. The attack is passive and can happen without OpenAI or their client's knowledge. OpenAI encrypts their traffic to prevent these kinds of eavesdropping attacks, but our research shows that the way OpenAI is using encryption is flawed, and thus the content of the messages are exposed. Basically, in a bid to make the tool as fast as possible - the developers opened the doors to crooks picking up on the contents. When the chatbot starts sending back its response, it doesnt send it all at once. It sends small snippets, in the form of tokens, to speed the process up. These tokens may be encrypted, but as theyre being sent one by one, as soon as theyre generated, that allows the attackers to analyze them. The researchers analyzed the tokens size, length, the sequence through which they arrive, and more. The analysis, and subsequent refinement, resulted in decrypted responses which were almost identical to the ones seen by the victim. The researchers suggested developers do one of two things: either stop sending tokens one at the time, or fix all of them to the length of the largest possible packet, making analysis impossible. This technique, which they dubbed padding, was adopted by OpenAI and Cloudflare. More from TechRadar Pro LockBit ransomware still poses a major threat ScreenConnect under attack from new malware Here's a list of the best firewalls around today These are the best endpoint security tools right now ====================================================================== Link to news story: https://www.techradar.com/pro/security/more-security-flaws-found-in-popular-ai -chatbots-and-they-could-mean-hackers-can-learn-all-your-secrets --- Mystic BBS v1.12 A47 (Linux/64) * Origin: tqwNet Technology News (1337:1/100) .