Blog

How hackers can read your chats with ChatGPT or Microsoft Copilot

In a recent paper published by Israeli researchers from Offensive AI Lab, a startling revelation emerged: hackers can exploit chatbot features to restore encrypted chats, including those from OpenAI ChatGPT, Microsoft Copilot, and many other AI chatbots. This method of attack, known as a side-channel attack, raises significant concerns about the security of AI-driven conversations.

Understanding the Vulnerabilities

AI chatbots, powered by large language models (LLMs), communicate using encrypted messages. However, certain features within these chatbots weaken encryption, making them susceptible to side-channel attacks. Three key vulnerabilities contribute to this:

  1. Tokenization: LLMs process text not as individual characters or words but as semantic units known as tokens. This tokenization process inadvertently leaks information about the length of each token in a message.
  2. Real-Time Responses: Unlike humans who send messages in larger chunks, AI chatbots send responses gradually, token by token, in real time. This incremental transmission exposes patterns that attackers can exploit.
  3. Lack of Compression or Padding: Many chatbots do not use compression, encoding, or padding techniques before encrypting messages. This omission reduces cryptographic strength, making it easier for attackers to infer information.

The Side-Channel Attack

During a side-channel attack, hackers intercept encrypted chatbot messages and extract data about token lengths. While they cannot decrypt the messages outright, they can use this information to reconstruct the text. This process involves guesswork, aided by another LLM trained to predict words based on context.

Researchers noted that the initial exchanges in chatbot conversations often follow predictable patterns. By leveraging this predictability, they successfully restored introductory messages and, to some extent, the entire conversation. However, perfect reconstruction is rare, and certain parts of the text may be incorrectly guessed.

Limitations and Language Variations

It’s crucial to note that this attack method has limitations. While it can reveal general text patterns, extracting specific details like names or numerical values remains unreliable. Additionally, the success of text restoration varies across languages. The study focused on English, where token lengths align closely with words, facilitating easier reconstruction. Other languages with shorter tokens may not be as vulnerable.

Responding to the Threat

In response to these findings, some AI chatbot developers like Cloudflare and OpenAI have implemented padding methods to enhance security. These measures aim to mitigate the risk of side-channel attacks and protect user data during interactions with chatbots.

However, it’s essential for users to remain vigilant and aware of potential security risks when engaging with AI-driven platforms. Understanding the vulnerabilities and ongoing efforts to address them is crucial in safeguarding sensitive information.

To learn more about cybersecurity threats and precautions, explore our article on the Top 10 IRS Scams to Avoid from Keyzing.com.