A group of researchers has discovered that GPT-4 has the ability to identify security vulnerabilities without requiring external human assistance and that, in addition, can exploit zero-day flaws by knowing the common vulnerabilities and exposures (CVE).
A study carried out by researchers at the University of Illinois Urbana-Champaign (United States) has shown that large language models (LLM) have great potential to execute actions with malicious purposes if they are manipulated for that purpose.
In research shared in the Arxiv repository, Richard Fang, Rohan Bindu, Akil Gupta and Daniel Kang acknowledge that studies have previously been published showing the ability of these models to hack websites autonomously. However, they have clarified that these studies “are limited to simple vulnerabilities.”
Thus, specialists from this university have chosen to compile a data set of 15 vulnerabilities categorized as critical severity in the vulnerable list and common exposures to demonstrate how an agent driven by GPT-4 acts against them.
According to their research, the most advanced iteration of this model is capable of exploiting security vulnerabilities in different systems autonomously, that is, without having to have external human assistance.
So much so that GPT-4 was able to exploit 87 percent of these vulnerabilities, which contrasts with the LLM GPT-3.5, which was unable to do so in any of the cases, and the scanners of ZAP and Metasploit open source vulnerabilities.
However, they have agreed that this was possible because these flaws had a complete CVE description, which GPT-4 took advantage of to exploit them. Without this additional information, therefore, the model would only have been able to exploit 7 percent of the vulnerabilities.
According to one of the researchers, Kang, security organizations could refrain from publishing detailed reports on vulnerabilities as a mitigation strategy to prevent malicious agents from taking advantage of them, according to The Register.
To prevent cybercriminals from exploiting ‘zero-day’ vulnerabilities through GPT-4, however, this scientist advocates for more proactive security measures, such as regular security package updates, to counter these threats.