Hacker AIs || Vulnerable Automobile APIs
CyberInsights #76 - ChatGPT can being used for writing malicious code and over 16 car brands had APIs that were vulnerable to attack
Can AI be used for hacking?
Two pieces of news this week show the possibilities.
Any new technology is a two edged sword.
ChatGPT, that little chat box that is making waves world-wide, has found itself writing malicious code. ChatGPT does not explicitly allow a normal chat user to write malicious code. If you try, you get this:
But, hackers could ask it to write smaller pieces of code that they can piece together to get to more malicious code. Here is a small example:
Notice how ChatGPT flags this as possible malicious code, but still gives you the code.
In another story, Text-to-SQL technologies using Natural Language Processing (NLP) could be cracked by asking specifically designed questions.
Take Action:
Understand the AI technology your teams are using to identify relevant threats
Include ‘malicious query design’ in your threat model
Conduct red teaming exercises to see if malicious queries can hack your system
Car APIs of over 16 manufacturers vulnerable
It is a cyber crisis waiting to happen.
A recent article wrote about APIs from 16 automobile companies that are vulnerable to attack. It included big name such as Ferrari, BMW & Mercedes Benz.
Imagine buying the latest BMW; as you are driving home, the horn starts to honk automatically and the lights start flashing. The display shows “You’ve been hacked!”.
Well, things might not be as dramatic as I’ve written, — the vulnerabilities have since been fixed — but you get the general drift (pun unintended).
Take Action:
Don’t buy connected cars. Just kidding. Just be watchful before buying any connected car. Ask the dealer to update the firmware and the software. Also, when you send the vehicle for service, insist that they upgrade the firmware.
If you are a cybersecurity professional who works for an automotive company, then there is a bit more that you should do:
API security checks
Threat Model. Threat Model. Threat Model.
Setup processes for firmware upgrade