Can GPT-4 Hack Your Computer?

This post is also available in: עברית (Hebrew)

Researchers from the University of Illinois Urbana-Champaign investigated Large language models like GPT-4 and their effectiveness in exploiting cybersecurity vulnerabilities, and found they can autonomously exploit one-day vulnerabilities.

While previous attempts have been made to test the ability of LLM agents to “autonomously hack websites,” these tests are exclusive to simple vulnerabilities. The researchers at UIUC tested their theory and proved that in certain cases, “LLM agents can autonomously exploit one-day vulnerabilities in real-world systems.”

According to Cybernews, the researchers gathered a dataset of 15 one-day vulnerabilities that included several categorized as critical severity in the CVE description (Common Vulnerabilities and Exposures, a database of publicly shared information surrounding cybersecurity vulnerabilities and exposures). When the researchers provided GPT-4 with the CVE description, the LLM was 87% effective in exploiting these vulnerabilities, compared to the 0% displayed by GPT-3.5, other open-source LLMs, and widely used vulnerability scanners. However, GPT-4 has to have the CVE description to exploit these vulnerabilities effectively, and can only exploit 7% of vulnerabilities independently.

The study also found the financial benefit of using LLMs and AI, which was discovered as cheaper and more efficient than the work of humans. Furthermore, LLM agents were found to be “trivially scalable in contrast to human labor,” making them arguably more effective than human hackers.

This information discovered by the researchers raises questions about the widespread use of LLMs, which have been steadily growing in popularity due to their usefulness in individuals’ professional and personal lives, but is also proven to be used by hackers to hone their skills and deploy attacks.

Tech giant Microsoft previously released a statement that it had tracked hacking groups that were affiliated with Russian military intelligence, Iran’s Revolutionary Guard, and the Chinese and North Korean governments, all trying to perfect their hacking campaigns using large language models.

Senior cybersecurity officials have been warning of this growing phenomenon since 2023, claiming threat actors are using LLMs to conduct malicious research, write convincing phishing emails, or gain information about rival intelligence agencies.