OpenAI Just Changed Everything for Cybersecurity (Again !!)
Breaking down what the latest announcements mean for Cybersecurity professionals
It has become a bit of a cliche to write, “ChatGPT just changed everything in [insert your topic] every few months.”
But what happened in the recent OpenAI’s DevDay was nothing short of mind-blowing
Amongst all the improvements revealed .. the introduction of GPTs, i.e. your own customized versions of ChatGPT, was the biggest!
The ability to just create your very own AI agent with zero coding needed has mind-blowing potential!
It is difficult to imagine what we will see people making in a few months as they get more hands-on with it
Of course, the chance to make money with GPTs will motivate people even more!
GPTs can be considered the next evolution of things like plugs in and custom instructions, which OpenAI gradually added in the previous months.
Just to put things in context .. with GPTs, you can :
Enter instructions to make it behave in a certain way.
Provide further information by uploading external files.
Provide it access to existing abilities like browsing, DALL-E 3, code interpreter, AND .. APIs
People have already been going crazy creating all sorts of innovative GPTs, allowing them to optimize their tweets and YouTube channels, etc.
But what are the implications for Cybersecurity?
Two things are going to have a major impact.
The No-code approach
Effectively giving all this power with zero coding knowledge needed means anyone can start creating GPTs
This is going to greatly lower the bar of entry for professionals, meaning you need to update your DOs and DONTs now.
Make sure your employees who are using ChatGPT understand what GPTs are and that this is still something that has to be risk-assessed for use in a corporate setting
Get ready to hear about some over-eager employee who uploaded the entire HR manual into a GPT to make his own office assistant!
API Access
The biggest game-changer is the access to APIs that are now available to GPTs, allowing them to carry out actions.
oh boy ….
This means the attack surface for GPTs is going to be massive
The combination of GPTs and tools like Zapier, allowing integration of Slack, Notion, Calendar, etc., will be a security nightmare to manage.
The amount of actions that are present in just Zapier is mind-boggling
I have written before about prompt injections in which attackers “trick” the AI agent into carrying out instructions it was never designed to do
The “blast radius” of this attack was still limited to an extent as the LLM agent could not execute anything, and the exposure was limited to data leakage
Now, we are entering a whole new territory of cyberattacks
Imagine sending prompt injections that result in the GPT calling an API to execute an action
Now multiply that by the number of people who will be making GPTs, and it looks like Christmas has come early for cyber attackers !
API security is still something which not many people are aware of and this topic is going to re-surge in importance in the coming months as GPT usage explodes
OpenAI states
“a GPT uses third party APIs, you choose whether data can be sent to that API. When builders customize their own GPT with actions or knowledge, the builder can choose if user chats with that GPT can be used to improve and train our models. These choices build upon the existing privacy controls users have, including the option to opt your entire account out of model training.”
My advice to every cybersecurity professional would be
Get a GPT sandbox if it has become available and start playing around with how GPTs work
Send out a comm message if your company makes extensive usage of ChatGPT
Update your internal security programs on API Security and how to secure API calls
Without appropriate awareness of how to secure GPTs and API calls we are going to be seeing some very interesting mess ups happen as Cybersecurity teams get up-to speed on this new technology
Exciting times ahead !
GPT + API + no-code means we are entering entirely new (and terrifying) territory. My mind boggles at what 2024 is going to bring!