By Chester Wisniewski
The technology world was on fire about the latest artificial intelligence demonstration by OpenAI in the waning months of 2022, ChatGPT. It is truly a remarkable achievement, an artificial intelligence (AI) that you can have a conversation with and ask it to do everything from write essays to code computer programs.
As a computer security expert, I immediately did what comes natural to people like me, I tried to hack it. Could I get it to do something bad, something malicious? Could this be abused by criminals or spies to enable new types of cybercrime?
The answer of course, like most tools is yes. Someone with ill intent can abuse these miraculous scientific achievements into doing things that could likely cause harm. The surprising part however is that the danger lies in the social arena, not the technical one.
While ChatGPT can be tricked into writing malicious computer code, that isn’t really all that scary. Computer code can be analyzed by computer security products in milliseconds and deemed to be malicious or safe with a high degree of certainty. Technology can always counteract technology. The problems surface when what we are trying to detect isn’t computer code, but rather words and meaning that will be interpreted by humans, not machines.
There are two factors that make this dangerous. The first is that up until now it was not practical to have a computer create tempting lures for victims to be tricked into interacting with. The technology is now not only available, but so easily accessible as to be cheap or even free. The second is that the primary way users keep themselves safe today is by noticing mistakes made by attackers in their grammar and spelling to detect that an email or communication may be from an intruder.
If we take away the last remaining sign that a malicious email or chat message was crafted carelessly by someone without a strong command of the language, how will we defend ourselves?
Here is an example of an existing spam lure. It is relatively unsophisticated and has few words of explanation. I asked ChatGPT to write a more informative letter of the same type and you can see it’s output in the second example.
(Chester Wisniewski is the Field CTO for Applied Research at Sophos).