Moreover, the researchers raised concerns regarding the inadequate design of the AI system’s structures.
As reported by Wired, there is a current development in the creation of AI worms capable of extracting sensitive data and circumventing the security protocols of relational AI platforms such as Google’s Gemini and OpenAI’s ChatGPT.
A collaborative effort involving researchers from Cornell University, Technion-Israel Institute of Technology, and Intuit led to the inception of the second conceptual AI insect named “Morris II.” This AI entity is designed to either extract data or propagate malware across interconnected systems. The nomenclature pays homage to the original internet worm introduced in 1988. This advancement signifies a new avenue for potential cyber threats, as elucidated by Ben Nassi, a researcher at Cornell Tech.
By targeting a conceptual AI network to pilfer email contents and dispatch messages, the AI insect could potentially breach the security protocols of platforms like ChatGPT and Gemini.
The development of this relational AI worm was facilitated through an “adversarial self-replicating fast” technique. This mechanism compels the conceptual AI model to produce diverse responses. Subsequently, the researchers integrated relational AI capabilities into ChatGPT, Gemini, and the open-source LLM to establish an email system capable of sending and receiving messages. Furthermore, they unearthed two methods for leveraging this program: employing a text-based self-replicating swift and embedding the topic within an image document.
In a simulated scenario, the researchers assumed the role of an attacker and initiated contact with a malicious prompt. By utilizing search-mixed generation, which enables LLMs to access external data sources, they contaminated the inbox assistant’s repository. The retrieval-augmented technology effectively bypasses the GenAI services, intercepting an email response to a user query and redirecting it to GPT-4 or Gemini Pro for further processing, according to Mr. Nassi. Consequently, this results in the unauthorized extraction of information from the email exchanges.
The compromised response, containing sensitive user data, subsequently infects new recipients when used to reply to an email addressed to a fresh client and stored in the recipient’s database, Mr. Nassi elaborated.
The second approach involves forwarding any image, be it an email, illicit content, or promotional material, to new recipients subsequent to the initial email transmission, as highlighted by the researcher.
A video demonstration showcasing these findings reveals the perpetual forwarding of messages by the email program. The researchers emphasize their ability to access internet data, encompassing confidential information such as names, phone numbers, credit card details, and SSNs.
Furthermore, the researchers cautioned against the flawed structural design of the AI system. They promptly notified Google and OpenAI about their discoveries. A spokesperson from OpenAI acknowledged the vulnerability exploited through prompt injection, emphasizing the importance of fortifying systems against such threats and advocating for stringent input validation protocols among developers.
