Rozmowy z ChatemGPT to nie tajemnica #DEFCON32

Mateusz Chrobok

10 Nov 202412:59

Summary

TLDRAt DEFCON 2024, researchers from Ben-Gurion University unveiled a privacy vulnerability in conversational AI models, like ChatGPT. By analyzing the structure of encrypted network traffic, they demonstrated how it's possible to infer the content of responses without decrypting them. Through statistical methods and AI, attackers can predict the words and structure of responses based on packet sizes and patterns, revealing potentially sensitive information. However, companies like OpenAI quickly addressed the issue with patching techniques. This marks a breakthrough in side-channel attacks, highlighting the importance of secure communication even with encryption in place.

Takeaways

😀 Researchers discovered a privacy vulnerability in ChatGPT and other language models at DEFCON 2024, leveraging side-channel attacks on encrypted communication.
😀 The attack exploits varying packet sizes when the model sends responses, where longer words require larger data packets, revealing information about the message content.
😀 By analyzing network traffic, attackers can infer the number and length of words in a response without decrypting the actual content.
😀 Machine learning was used to predict the content of encrypted responses based on statistical analysis of packet sizes, achieving up to 50% accuracy with shorter responses.
😀 As the response length increases, the accuracy of predictions drops, but still provides useful information for attackers, particularly for individual words.
😀 The attack relies on the fact that responses from models have a characteristic structure and are often sent token by token, revealing patterns.
😀 Even though the content is encrypted, attackers can still infer information from the structure and length of the data packets, akin to breaking a cipher.
😀 The vulnerability is not just specific to ChatGPT, but also affects other large language models like those from Google, OpenAI, and Anthropic.
😀 Companies behind these models, including OpenAI, quickly addressed the vulnerability by randomizing packet sizes and adding extraneous data to obscure the attack vector.
😀 The discovery underscores the importance of securing not just the content of communication, but also the side-channel data that may leak information through indirect means.
😀 This attack represents a shift in cybersecurity, where AI is used both to exploit vulnerabilities and to help mitigate such risks by analyzing large-scale data patterns.

Q & A

What is the main focus of the DEFCON presentation discussed in the script?
-The main focus of the DEFCON presentation is a privacy attack on conversational AI models like ChatGPT, specifically through side-channel analysis of network traffic to infer the content of messages exchanged with the model.
What is a 'side-channel' attack as mentioned in the script?
-A side-channel attack is a method of extracting information by analyzing indirect sources, like network traffic or system performance, rather than directly accessing the target data. In this case, it's analyzing the network packets to infer details about conversations with ChatGPT.
How do researchers exploit the way data is transmitted from ChatGPT to the user?
-The researchers discovered that ChatGPT sends responses incrementally, word by word, in separate network packets. By analyzing the size and frequency of these packets, attackers can infer the number of words and their length in the response, which can then be used to predict the content of the response.
Why is it possible to extract information from the size of the network packets?
-Each network packet sent by ChatGPT corresponds to a single word or token, and the size of the packet increases proportionally with the length of the word or token. This allows attackers to estimate the length and number of words in a response, providing clues about its content.
What is the role of AI in aiding this side-channel attack?
-AI plays a key role in analyzing the network traffic and predicting the content of the encrypted messages. Researchers used a model to learn patterns in the size and order of packets and could predict the text of the response with over 50% accuracy, showing how AI can enhance side-channel attacks.
How does statistical analysis help in decoding the content of the network packets?
-By analyzing the statistical patterns in the response structure, such as the length and sequence of words, attackers can make educated guesses about the response content. AI models trained on large datasets can further improve the accuracy of these predictions.
What was the accuracy of the attack in predicting ChatGPT's responses?
-The accuracy of the attack was around 50% for shorter responses. As the length of the response increased, the accuracy dropped to around 30%, which still provides significant information given the context and structure of the response.
What countermeasures did the companies behind large language models implement to mitigate this attack?
-To mitigate this type of attack, companies implemented randomization of packet sizes, added padding data to round up the size of packets, and buffered packets together. These changes made it much more difficult to accurately infer the content of the messages.
What are the potential privacy risks of using conversational AI models like ChatGPT?
-The main privacy risk lies in the exposure of personal or sensitive data through side-channel attacks, where attackers can infer the content of conversations based on network traffic patterns. Even though the data is encrypted, the structure of the responses can still leak valuable information.
How did the researchers demonstrate the vulnerability of conversational AI models?
-The researchers demonstrated the vulnerability by using a network traffic sniffer to capture and analyze the packets sent by ChatGPT. They then trained a language model to predict the content of the responses based on the packet sizes and patterns, achieving a notable level of accuracy.