Skip links

ChatGPT side-channel attack has easy fix: token obfuscation

in brief Almost as quickly as a paper came out last week revealing an AI side-channel vulnerability, Cloudflare researchers have figured out how to solve it: just obscure your token size.

The paper [PDF], from researchers at the Offensive AI Institute at Israel’s Ben Gurion University, found an issue with how all non-Google ChatGPT derivatives (including Microsoft Copilot) transmit chat sessions between LLM servers and users.

When operating in streaming mode (a key component of this attack), ChatGPT and related AIs send tokens sequentially – meaning the response from the AI flows bit-by-bit to the user instead of all at once after the bot has decided how to answer. A malicious actor in the middle with the ability to intercept network traffic could sniff those LLM tokens.

You may be thinking that those response tokens are encrypted, and you’d be right. Here’s where the Ben Gurion researchers got crafty: they built their own specially trained LLMs designed to examine the packets and understand what they mean, with a decent degree of accuracy.

“We were able to accurately reconstruct 29 percent of an AI assistant’s responses and successfully infer the topic from 55 percent of them,” the authors noted.

Cloudflare, offers its own ChatGPT-based AIs in the form of products like Workers AI and AI Gateway, seems to have figured out how to address the issue with relative ease by padding its tokens. Cloudflare wrote that it was approached by the researchers through its bug bounty program.

“Since we stream JSON objects rather than the raw tokens, instead of padding the tokens with whitespace characters, we added a new property, ‘p’ (for padding) that has a string value of variable random length,” Cloudflare wrote.

Cloudflare’s products are thus protected from the side-channel attack, with the fix deployed to Workers and AI Gateway, but other AI publishers take note: Time to modify your ChatGPT-based products, too.

Critical vulnerabilities of the week

Another Patch Tuesday, another quiet week on the vulnerability front – at least from the major vendors, whose issues were already highlighted on The Register.

A few operational tech vulnerabilities emerged and, as has been established, that’s where the big threats lie nowadays.

  • CVSS 10.0 – Multiple CVEs: Siemens Cerberus and Sinteso fire protection systems contain a number of issues, including a rather serious classic buffer overflow vulnerability, that could allow access to fire protection system networks.
  • CVSS 9.8 – Multiple CVEs: A number of Mitsubishi Electric MELSEC-Q/L series controllers contain incorrect pointer scaling and integer overflow/wraparound issues that could allow an attacker to read arbitrary info or perform RCE.
  • CVSS 9.8 – Multiple CVEs: Siemens RUGGEDCOM APE1808 devices, which use Fortinet, are suffering from a bunch of issues linked to problems with FortiOS, FortiProxy and other well-perforated products.
  • CVSS 9.8 – Too many CVEs: Siemens SIMATIC RF160B RFID readers versions prior to 2.2 contain 157 CVEs that let an attacker execute arbitrary code with privileged access. A patch is available.
  • CVSS 9.8 – Multiple CVEs: Siemens SINEMA remote connect server is vulnerable to XSS and is improperly controlling access.
  • CVSS 8.8 – Multiple CVEs: Delta Electronics DIAEnergie software prior to v1.10.00.005 contains several SQL injection vulnerabilities and other issues that could let an attacker escalate privileges, disclose information or disrupt systems.
  • CVSS 8.7 – Multiple CVEs: More vulns in Siemens RUGGEDCOM APE1808, again due to the inclusion of Fortinet, this time with problems in Fortinet Next-Gen Firewall that could lead to DoS and RCE with elevated permissions.

Infostealer campaign targets Roblox users

Infostealer malware is everywhere nowadays, and a new campaign is trying to lure Roblox users into downloading one disguised as a tool to optimize frames-per-second performance on the platform.

Spotted by Zscaler ThreatLabz, the campaign sees threat actors using YouTube videos and Discord links to distribute the stealer – dubbed “Tweaker” – to Roblox users. Once installed, the malicious app uses Powershell commands to install the malware, which is able to exfiltrate location data, Wi-Fi network information, passwords, Roblox user data and even in-game currency details.

“From the user’s perspective, everything seems normal as the Tweaker malware genuinely enhances FPS optimization,” Zscaler warned. “This deceptive behavior makes users less suspicious of the malware since it appears to be fulfilling its intended purpose.”

With the majority of Roblox users being children, parents should be aware of the threat posed by such malware – especially if kids are playing around on a machine also used for business.

Telco boss admits to SIM swap insider attack

When you can’t even trust the boss at your friendly local telecommunications company, who can you trust?

Jonathan Katz, a former manager at an unnamed telecom store in New Jersey, pled guilty this week to conspiring to gain unauthorized access to a protected computer by performing SIM swaps (linking a victim’s account to a SIM card controlled by another person) for someone else.

According to the US Department of Justice, while manager of the store Katz used his access to company computers to swap customer SIM numbers, giving account access to an unnamed co-conspirator who was able to access the victims’ email, social media and cryptocurrency accounts.

Katz was paid in Bitcoin for his trouble but wasn’t smart enough to use a cryptocurrency mixer to hide the trail – leading investigators right back to his crypto wallet.

Katz faces a maximum of five years in prison for the scheme, and a fine of not more than $250,000 or twice his take or twice the financial losses suffered by victims – whichever is greater. Katz is due to be sentenced on July 16. ®