Talking to AI chatbots should be done with caution, as it seems that hackers can easily eavesdrop on these exchanges.
Head of the Offensive AI Research Lab at Ben-Gurion University in Israel, Yisroel Mirsky, sent an email to Ars Technica stating, “At the moment, anybody can read private chats sent from ChatGPT and other services.” “This includes malicious actors on the same Wi-Fi or LAN as a client (e.g., same coffee shop), or even a malicious actor on the internet — anyone who can observe the traffic.”
According to the paper, these kinds of intrusions are referred to as “side-channel attacks,” since instead of breaking through security barriers, third parties infer data passively by leveraging metadata or other indirect exposes. Any technology can be used for this kind of attack, but AI seems especially susceptible since its encryption efforts aren’t always up to par.
The researcher disclosed, “The attack is passive and can happen without OpenAI or their client’s knowledge.” “OpenAI encrypts their traffic to prevent these kinds of eavesdropping attacks, but our research shows that the way OpenAI is using encryption is flawed, and thus the content of the messages are exposed.”
Side-channel assaults are less intrusive than other hacking techniques, but they can roughly deduce a given chatbot query with 55 percent accuracy, according to Ars, making it easier to identify malicious actors if a user asks a sensitive inquiry of an AI.
Although the Ben-Gurion researchers are mostly interested on encryption mistakes in OpenAI, the article shows that this is a method of exploiting the majority of chatbots available today, with the possible exception of Google’s Gemini, for whatever reason.
This problem stems from the fact that chatbots require encoded data, or “tokens,” to facilitate the rapid and understandable translation of inputs by large language models (LLMs). These are frequently sent out quickly in order to facilitate a “conversation” between the user and the chatbot, which appears more like a person typing a response than a paragraph long sentence arriving all at once.
The tokens themselves generate a side channel that researchers were previously unaware of, even though the delivery mechanism is typically encrypted. The Ben-Gurion researchers explain in a recent publication that anyone with access to this real-time data would be able to deduce your prompts from the tokens they retrieve, similar to deducing the subject of a quiet discussion overheard on the opposite side of a wall or door.
As they describe in their unpublished work, Mirsky and his colleagues at Ben-Gurion ran raw data obtained through the unintentional side-channel through a second LLM trained to recognize keywords in order to document this exploit. They discovered that the LLM had a about 50/50 chance of figuring out the general cues and could anticipate them almost exactly 29% of the time.
Microsoft informed Ars in a statement that the exploit does not jeopardize personal information and also impacts its Copilot AI.
According to a Microsoft representative, “specific details like names are unlikely to be predicted,” the report stated. “We are committed to helping protect our customers against these potential attacks and will address it with an update.”
The results are concerning because they might be used to hurt or punish those who are just looking for information on sensitive subjects like abortion or LGBTQ problems, which are both becoming illegal in the US right now.
