The researchers tested their AI agent on 15 known vulnerabilities in open-source software, including bugs affecting websites, containers, and Python packages. What’s concerning is that eight of these vulnerabilities were classified as “high” or “critical” in severity
Artificial intelligence (AI) is constantly evolving, and with it, so are the threats it poses. Recent research from the University of Illinois Urbana-Champaign (UIUC) suggests that AI agents equipped with GPT-4, a cutting-edge language model, could potentially exploit real-world vulnerabilities with alarming ease.
Until now, AI has mainly been utilised by threat actors for tasks like generating phishing emails or aiding in less critical aspects of cyber campaigns. However, the UIUC researchers have shown that with GPT-4 and an open-source framework, hackers could automate the exploitation of vulnerabilities as soon as they’re disclosed.
The researchers tested their AI agent on 15 known vulnerabilities in open-source software, including bugs affecting websites, containers, and Python packages. What’s concerning is that eight of these vulnerabilities were classified as “high” or “critical” in severity. Furthermore, 11 of them were disclosed after GPT-4 was trained, meaning it was the first time the model encountered them.
Daniel Kang, one of the researchers involved, acknowledges the potential threat posed by malicious AI but emphasizes that, for now, it doesn’t provide capabilities beyond what an expert human could achieve. Nonetheless, organizations must prioritize security best practices to defend against evolving threats.
If hackers start using AI agents to exploit vulnerabilities automatically, companies can’t afford to be complacent about patching new bugs. They might even need to adopt similar AI technologies themselves to counter these threats effectively.
Despite its potential, GPT-4 isn’t flawless. Henrik Plate, a security researcher at Endor Labs, highlights that while GPT-4 outperformed other models in certain tasks, it still produced false positives and false negatives, especially when dealing with obfuscated code.
Plate suggests that while AI-based assessments shouldn’t replace manual reviews entirely, they can complement them by automatically reviewing a large volume of signals, including those generated by noisy detectors.
While AI-driven threats are on the rise, so too are the strategies to counter them. It’s imperative for organizations to stay vigilant and adapt their security measures accordingly in the face of evolving cyber threats.