A.I. Makes Formerly Unattractive Devices The Next Targets For Cyber Crime

Prior to this article, my care about AI was relegated to trying to beat the next higher robot in my favorite C64 game of all time “Paradroid’ (C64 fans).

However, with the advancement of AI based exploits, it’s probably time to address this new and growing threat and bring awareness to those less than technical people who control the budgets.?It appears that the world is quite unprepared for the advancing rise of machine based exploits and the need for counter measures to check this increasing threat.

OS Malaise

In a world where most of the exploits are written for low hanging fruit (IE windows devices), many in IT have been lulled into a false sense of security by choosing to ignore those technologies which are “unpopular” for hackers.?Endpoints like Linux, MacOS, IoT devices and even ChromeOS have been largely ignored by the hacker community, since writing an exploit for these devices don’t have the massive install base to warrant extensive development time.

Often, these low value operating systems have been ignored, relying on obscurity over security. (How many times have I thought to myself “I really should update the firmware on my RING doorbell”)

As we enter a new era of AI generated exploits and malware, it’s likely that we will see a much greater focus on those endpoints that have formerly been ignored.?As the world economy enters greater pressures in food production and financial competition, we might see more countries adopt a model similar to North Korea, where state initiatives, both locally and nationally are funded by stolen resources.?With most countries toying with the decision to use a cryptocurrency as a replacement for?fiat currency, we should expect the amount of petty and large-scale financial crimes to impact every aspect of our culture.?Less targeted endpoints, combined with new attack vectors that are easier to exploit, make for attractive new targets for small and large cybercrime. AI offers a low intellectual investment, as these once ignored attack vectors become as targeted as traditional operating systems like Windows.

Application specific exploits are another way for cyber criminals to gain further access to financial rewards. Similar to the above example where hackers targeted applications with a large install base, those smaller applications with a limited number of users, make new attractive targets for AI generated cybercrime.

AI Can Be Used To Generate Exploits Quickly and Easily

Artificial intelligence is all the rage right now and while it’s still in its infancy, top level security professionals are already evaluating it for both finding and creating exploits.?As the technology evolves and more importantly, the user community find more effecient ways to interact and define goals for the technology, software and hardware exploits will become far easier to generate and move down from elite programmers to the lowest level script kiddies. As understanding of the tool continues to improve elaborate exploits will quickly and easily be generated in seconds.

In a recent article ChatGPT, the current darling of the AI community, was utilized along with elite hackers to assist in the creation of an exploit for OT networks (one of the areas I feel is ripe with vulnerabilities)

”It was bound to happen sooner or later. For what looks like the first time ever, bug hunters used ChatGPT in a successful Pwn2Own exploit, helping researchers hijack software used in industrial applications and win $20,000.

To be clear: the AI did not find the vulnerability nor write and run code to exploit a specific flaw. But its successful usage in the bug-reporting contest could be a harbinger of hacks to come…

According to Childs, this is probably how we'll see cybercriminals use ChatGPT in real-life attacks against industrial systems.

"Exploiting complex systems is challenging, and often, threat actors aren't familiar with every aspect of a particular target," he said. Childs added that he doesn't expect to see AI-generated tools writing exploits, "but providing that last piece of the puzzle needed for success."

And he's not concerned about AI taking over Pwn2Own. At least not yet.

"That's still quite a way off," Childs said. "However, the use of ChatGPT here shows how AI can help to turn a vulnerability into an exploit – provided the researcher knows how to ask the right questions and ignore the wrong answers. It's an interesting development in the competition's history, and we look forward to seeing where it may lead."”

This is just one example of how the hacker community “white hat” is using AI powered technology to assist in finding and creating exploits for vulnerable systems.

Being in the education space, there is a false belief that ChromeOS devices are largely immune to exploits and for the most part this has been a solid philosophy.?However, with the addition of AI, available to students, ex-students, staff and bad actors from outside the organization we may just see the formerly immune “Chromebook” become a new vector for cyber crime.

To underscore this, I used ChatGPT to write an article detailing how this might be done in the future. Spitting out this article in less than 10 seconds, it’s by no means an exhaustive dissertation on ChromeOS exploits, but by refining the length and characteristics, I am sure ChatGPT could turn out a masterpiece complete with examples and even sample code.

AI Will Be One Of Those Game Changing Technologies

Artificial intelligence has the power to be used for both legal and illegal activities.?IT administrators, executive staff and users should be aware of the potential for use and misuse. As cyber professionals, we should strive to make the community aware of this emerging vector of protection and vulnerability far before it becomes mainstream. ?It is important for IT professionals to have initial discussions with the less technical folks, detailing the upcoming dangers that AI brings to cyber security. This will hopefully generate awareness for the need for newer and better tools to combat these emerging threats before they become mainstream.?

While Elon Musk is doing his part to warn people of the dangers of AI, these esoteric discussions on television can hardly prepare non-technical staff members for the potential risk to an organization.?These initial conversations need to be initiated before the floodgates open and organizations are scrambling to plug their security gaps.

One Last Point Of Concern

Sadly, trying to use ChatGPT to proof this article, the AI felt like the world would be better served re-writing the entire thing for me and cutting me completely out of the process…lol ??We might just see a day where the AI just steals the money and inventions for itself, to fund it’s own rogue society of super bots bent on world domination...at the expense of the human race.

Eric Marchewitz is a security solutions architect, recovering former CISSP and AWS Cloud Practitioner. His career in information security has spanned 23 years, working for companies such as PGP Security, Cisco Systems and Check Point.?Most recently he is a Field Solutions Architect for CDW Corporation. This article doesn’t not reflect the views of CDW and is for information purposes only and should not be considered professional advice. No warranty of the information contained within is given.

#cybercrime #cybersecurityawareness #ai