If a hacker can monitor the internet traffic between his target and the target's cloud-based AI assistant, he could easily capture the conversation. And if that conversation contained sensitive information, that information would also end up in the attackers' hands.
This is according to a new analysis by researchers at Ben-Gurion University's Offensive AI Research Laboratory in Israel, who found a way to implement side-channel attacks on targets using all the Large Language Model (LLM) wizards except Google Gemini.
That includes the power of OpenAI, Chat-GPT.
The “filling” technique
“Currently, anyone can read private chats sent from ChatGPT and other services,” said Yisroel Mirsky, head of the Offensive AI Research Laboratory. ArsTechnica.
“This includes malicious actors on the same Wi-Fi or LAN as a customer (for example, in the same coffee shop), or even a malicious actor on the Internet: anyone who can observe the traffic. The attack is passive and can occur without the knowledge of OpenAI or its client. “OpenAI encrypts its traffic to prevent these types of eavesdropping attacks, but our research shows that the way OpenAI uses encryption is flawed and therefore the content of messages is exposed.”
Basically, in an attempt to make the tool as fast as possible, the developers opened the doors for criminals to access its content. When the chatbot starts sending its response, it doesn't send it all at once. Send small fragments, in the form of tokens, to speed up the process. These tokens may be encrypted, but because they are sent one by one, as soon as they are generated, that allows attackers to analyze them.
The researchers analyzed the tokens' size, length, the sequence by which they arrive, and more. Analysis and subsequent refinement resulted in deciphered responses that were almost identical to those seen by the victim.
The researchers suggested that developers do one of two things: stop sending tokens one at a time or fix them all to the largest possible packet length, making analysis impossible. This technique, which they called “padding,” was adopted by OpenAI and Cloudflare.
