ChatGPT: The consequences for cybersecurity.
[Cybersecurity]: Cybersecurity is the prevention of attacks, intrusions, and abuse of computer systems and networks. This includes protecting computers, servers, networks, cell phones and the stored data. Cybersecurity aims to protect organizations and individuals from malicious online activities, such as identity theft, fraud, malware distribution, and network attacks.
This is a definition of cybersecurity given by the technology at the heart of all discussions for several weeks: The ChatGPT.
[While we could also have asked him to write his own biography, we decided to be wise and stop the test here].
Why is this tool so popular?
Launched in November 2022 by Open AI, an American research organization based in San Francisco that was previously unknown to the general public, ChatGPT embodies, at the beginning of 2023, a real revolution with already more than 1 million users worldwide.
And Sam Altman and Elon Musk, both founding chairmen of open AI, are well aware of this.
A look back at the “Beta” version of a tool soon to be valued at over $29 billion.
Its main features
ChatGPT (Generative Pre-Trained Transformer), is a chatbot that uses Transformers to generate responses to typed text, allowing it to engage in natural conversation, providing convincing answers with impressive accuracy.
These models were trained on large amounts of data from the Internet and written by humans, including conversations, so that the answers provided are most relevant and natural.
It is based on what is called reinforcement learning, in other words the ability to learn as you interact with humans.
It uses machine learning techniques to improve its predictions. This is, by the way, the very principle of Artificial Intelligence: working on existing data.
Described as having the ability to explore possibilities that are almost beyond the constraints of our everyday reality, its capabilities have continued to amaze the world since its release, equipped with very solid technology.
Free and open to all, its use, simple and intuitive (despite the many tutorials that have appeared on Youtube to use it), gives it an additional advantage.
What future for ChatGPT
So we haven’t heard the last of this revolutionary tool, because Microsoft, an initial investor in the project to the tune of 1 billion dollars, could be one of the first to take hold of the phenomenon and integrate it into many of its products.
And if the secret is, for the moment, well kept, it seems that the project to dominate all consumer AI is becoming more and more concrete with a new investment of up to 10 billion dollars planned in the near future.
Microsoft would thus become the first shareholder of OpenAI, and the implementation in software of its world-famous flagship suite Office would become a reality.
Should this intelligence worry the cybersecurity world?
Yes, this AI is already being debated around the world.
As with any innovation, it will be necessary to take a certain level of perspective in order to understand the potential risks of misuse of the tool.
The bad news is, many testimonies are already emerging on the web, relating how experienced or not people could, in a few minutes, exploit the technology for malicious purposes.
Configured to reject inappropriate requests, the ChatGPT technology still has some shortcomings.
Generation of phishing mails (more or less convincing), generation of evasion code, it remains possible for now to divert the protections applied by the technology, preventing ChatGPT from providing directly criminal answers, such as the writing of malicious code, or the recipe of a homemade bomb; but allowing an expert to make use of these answers there to, for example, allow the generation of code necessary to write malicious software.
This dual-use nature therefore poses risks to the technology, and while it is the responsibility of creators to reduce the abuse, it will be impossible for them to completely prevent bad actors from using it for harmful purposes.
The problem with these protections lies in whether or not the AI recognizes whether the user is trying to write malicious code, for example, and whether the warning message generated actually blocks a user’s request.
Consider this experiment, which we conducted ourselves: we gave the code of an XSS-vulnerable application to ChatGPT, asking it if the application had a vulnerability.
The chat then managed to find the XSS.
We now ask him how to exploit this XSS, and here is his answer :
Generally speaking, we then ask him how to steal data to possibly conduct attacks, and the answer he provides turns out to be far too specific :
A real potential, but real limits : Is this a democratization of cybercrime?
For the AI field, the ability of some researchers to find such loopholes that allow them to bypass the use of ChatGPT at lightning speed illustrates the vulnerabilities inherent in all emerging technologies, potentially outpacing the human ability to secure them.The case of the Mirai botnet and its DDoS attacks in 2017 also illustrates this phenomenon, mistaking IoT devices for prime targets for hackers.
Its long-term impact therefore remains questionable; by sometimes lowering the barriers for cybercriminals, it has the potential to accelerate threats in the cybersecurity landscape, rather than reduce them.
And while this is also a matter of perspective, others would argue that it has much more to offer to attackers than to their targets.
This reopens the eternal debate: Can AI be ethical?
It is in this paradoxical context that the security of your systems and data remains the keystone and requires flawless protection.