Scientists have found a way to recharge dangerous computer “worms” using AI
University of Toronto researchers say they have found a way to use artificial intelligence to create a dangerous computer “worm” capable of targeting any known flaw in the world’s computers and rapidly spreading chaos across the Internet.
The computer scientists said in a paper published Tuesday night that the program can be built and that the prototype they created spread across a test network without human intervention.
The researchers kept their test network isolated from the public Internet. They also removed some details from the paper describing how they built the worm so hackers couldn’t use the paper as a blueprint for attacks.
But their work is likely to raise concerns that artificial intelligence is ushering in a new era of computer hacking that will be difficult to defend against. It also adds to growing evidence that advances in AI are creating risks to computer networks that would have been hard to imagine just a few years ago.
Artificial intelligence company Anthropic said in April that its latest technology, Claude Mythos, was too powerful to share with the public because hackers could use it to exploit security holes in computer networks faster than ever before.
Anthropic limited the release of the technology to about 40 organizations that maintain critical computing infrastructure so they can use the system to patch security vulnerabilities before hackers exploit them.
A week later, OpenAI, Anthropic’s main rival, said it was curtailing the release of similar technology. OpenAI shared its new system with hundreds of organizations and expanded the release to thousands of partners in the following weeks.
(The New York Times sued OpenAI and Microsoft in 2023, alleging copyright infringement on news content related to AI systems. Both companies denied the claims.)
A paper from the University of Toronto puts a new spin on AI fears. Because the AI technology that powered the worm was “open source” or “open weight” — meaning it was freely shared on the Internet — no one can restrict how it’s used. The proverbial genie is out of the bottle.
“To defend against this, you have to have a perfectly secure system — and we know that’s not currently possible,” said Nicolas Papernot, a professor of computer engineering at the University of Toronto who led the team that built and tested the prototype.
Dr. Papernot and his team, who posted the paper on his lab’s website, were able to create what is essentially an AI-powered version of the computer worms that hackers began unleashing on the Internet two decades ago. Unlike other types of computer viruses, worms spread from machine to machine on their own, without the help of humans.
With names like SQL Slammer, Conficker, and Stuxnet, each of these self-replicating software programs exploited a specific vulnerability in computers, took control of millions of machines, stole their data, deleted their files, and generally wreaked havoc.
After a decade of attacks, many computer users have learned to quickly patch their most egregious vulnerabilities. But the threat never went away. In 2017, another worm, WannaCry, targeted another major flaw in the world’s machines and infected more than 300,000 machines in 150 countries, taking their data hostage and demanding Bitcoin ransom payments.
A prototype created by Toronto researchers takes this kind of self-reproducing worm one step further. It can spread rapidly across a network by adapting a new attack to each computer it encounters. As described by Dr. Papernot, the worm could “think” through new attack strategies.
“This makes it much more difficult to stop the spread of malware,” he said. “There is no longer a single software patch that you can apply to a device to protect it from the worm.”
The worm could run on computers running Windows or Linux. And although the worm cannot operate without finding a more powerful machine due to its complexity, it could attack less powerful machines on the same network, including laptops, printers and cameras.
Security experts aren’t surprised that AI can tailor attacks. Over the past year, companies in the United States, China and other parts of the world have built artificial intelligence systems that are particularly good at writing computer code. If an AI system can write code, it can potentially exploit vulnerabilities in software applications.
But the leading systems from companies like Anthropic and OpenAI cannot be wrapped in worms because they are not open source and in all likelihood are too large to run on many computers. Many experts assumed that open source AI technologies were not powerful enough to power self-replicating computer worms.
But in recent months, companies and government labs, including several in China, have released increasingly powerful open source systems. Toronto researchers extended the open-source system in a way that strengthened those powers.
They have not publicly disclosed what open source system they used. But they say their prototype shows that hackers could create a similar worm — if they haven’t already.
Some outside experts have said the threat may be limited because AI systems are prone to error. “There’s usually a meaningful gap between what you can create in the lab and what you can do in the world to do significant damage,” said Dan Lahav, chief executive of Irregular, a security firm that specializes in AI threats.
“Artificial intelligence systems tend to be unpredictable and clumsy,” he added. “They do weird things and that can trigger security defenses.”
But Mr Lahav also warned that AI will continue to improve. This means that companies need to fix as many software vulnerabilities as possible, and they can use artificial intelligence to do this.
For this reason, according to the researchers, Anthropic should share Mythos with the wider group so that it can be used to combat AI threats. On Tuesday, Anthropic said it will share its technology with 150 other organizations.
“Ultimately, wider distribution — so that people can use the technology to fix vulnerabilities — is the way to go,” said David Lie, a professor of computer science at the University of Toronto who reviewed the paper but was not part of the team that created the worm.
The methods described by the University of Toronto researchers can also be used to find and fix vulnerabilities, said Dr. Lying. Like any other cybersecurity technology, their worm can be used both offensively and defensively.
“One can modify the worm to fix the vulnerabilities it finds,” he said. “The power of technology depends on what you do with it.”