AI Assistants, Apart From Google Gemini, Are Spilling Your Secrets
Passively Purloining Private Packets
AI assistants have been in the news lately, and not in a way that the designers hoped. If the Morris 2 self replicating AI worm wasn’t enough to make you question their use, perhaps realizing that people can read the supposedly encrypted responses to your queries might give you pause. The man in the middle attack is ridiculously easy to accomplish and is both relatively effective and completely undetectable. The queries you send can be observed by anyone on the same network that you communicate with the AI assistant on, it doesn’t require any malware to be installed or credentials to be acquired or faked. The problem is that the encryption used is flawed, and an LLM can be trained to decrypt the AI assistants responses to your questions; Google’s Gemini is the only exception.
The researchers who discovered the flaw were able to determine the topic you are asking about over 50% of the time and could extract the entirety of the message 29% of the time. Since the attack only requires someone to observe your traffic, there is no way to know if your queries are being eavesdropped on. To make things even worse, the LLM trained to decrypt the traffic will probably only get more accurate as it gets more training data.
Ars Technica delves into the specifics of the attacks, or you could ask your AI assistant if you dare.
With the exception of Google Gemini, all widely available chat-based LLMs transmit tokens immediately after generating them, in large part because the models are slow and the providers don't want users to wait until the entire message has been generated before sending any text. This real-time design plays a key role in creating the side channel.
More Tech News From Around The Web
- Google’s Safe Browsing Protection in Chrome Goes Real-Time @ Slashdot
- The end of classic Outlook for Windows is coming. Are you ready? @ The Register
- Walmart resurrects the M1 MacBook Air as an entry-level $699 laptop @ Ars Technica
- StopCrypt: Most widely distributed ransomware evolves to evade detection @ Bleeping Computer
- Can a classical computer tell if a quantum computer is telling the truth? @ Physics World
- Leaked docs hint Google may use SiFive RISC-V cores in next-gen TPUs @ The Register
- Trying Out Microsoft’s Pre-Release OS/2 2.0 @ Slashdot
- Banish OEM self-signed certs forever and roll your own private LetsEncrypt @ Ars Technica
- Voyager 1 starts making sense again after months of babble @ The Register
- McDonald’s IT systems outage impacts restaurants worldwide @ Bleeping Computer
- Caffeine makes fuel cells more efficient, cuts cost of energy storage @ The Register
- Tech support firms Restoro, Reimage fined $26 million for scare tactics @ Bleeping Computer
- Massively Popular Safe Locks Have Secret Backdoor Codes @ Slashdot
- Anycubic Photon Mono M5S 12K 3D Printer Review @ NikKTech
- MSI AXE5400 WiFi-6E USB adapter @ Guru of 3D
- TT Show Episode 26 – Dune gets an epic new game and Samsung sends Galaxy phones into Space
