ChatGPT: A Dream or a nightmare? (A comment from a cybersecurity POV)

What is ChatGPT? Why has it become so popular?

ChatGPT (Chat Generative Pre-trained Transformer), developed by OpenAI, provides AI-driven chat-based assistance based on context. It uses natural language processing, machine learning, and artificial intelligence to render text-based assistance. It has gained popularity due to its effectiveness in rendering human-like text based on the context fed through chat. Students, researchers, coders, and hackers worldwide are using ChatGPT to generate seemingly meaningful text.

Why are cyber criminals considering ChatGPT as their new friend?

You heard it right, hackers are using ChatGPT to generate meaningful text. In one research conducted by TechCrunch, upon asking ChatGPT to write a seemingly legitimate phishing mail, it denied the request replying it was not programmed to create harmful or malicious content. However, after a few tries they were able to generate legitimate phishing mail.

This opens up a whole range of possibilities for the malicious actors of the cyber crime world. Even though ChatGPT cannot be used to write malicious codes/tools directly, it can certainly be used to design them and develop parts of them.

“ChatGPT can undoubtedly be used to generate malicious codes without being flagged as malicious,” said renowned security researcher Dr. Ozarslan. He has worked in cybersecurity with NATO and has won awards such as the SANS Institute, RSA NetWars, and Global Interactive Cyber Range Awards. He put ChatGPT to the test by instructing it to write code in Swift, retrieve MS Office files from his Macbook, and generate a private key for decryption. He added, “sophisticated phishing campaigns and evasion codes to bypass threat detection were also created using the program.”

It is concerning because a lack of technical skills prevents potentially motivated threat actors from engaging in criminal activity. This program is now available to all on the clear web, removing the barrier to using the dark web. ChatGPT makes it easy for newbies, wannabes, and script kiddies to learn the ropes without needing to leave the security of the “clear web.”

It just goes to show how dangerous ChatGPT can be, especially with the ability to enable unsophisticated actors to deploy sophisticated phishing and cyberattacking techniques. Simply put, any amateur cyber attacker will now be able to launch sophisticated attacks using ChatGPT.

This means increased cybersecurity risk for Small and Medium Enterprises (SMEs). According to one research published on MDPI, AI-based Chat assistants like ChatGPT can be used to plan malicious chat-based social engineering (CSE) attacks against SMEs and customers by mimicking human-like conversations with victims.

Attackers who are not even well versed with the language would be able to engage in social engineering attacks based on the text generated by AI powered chat assistants.

Another plausible cybersecurity concern that AI assisted Chat assistants such as ChatGPT pose is that they can be used to spread misleading information/misinformation in critical fields such as medical research, defense and cybersecurity. To catch AI generated misinformation, experts use AI driven transformers to quickly identify misinformation by engaging in fact checks across a large range of resources. However, AI driven chat assistants like ChatGPT also use transformers that can easily generate reports bypassing cybersecurity experts as found by one research conducted in 2021 by researchers at University of Maryland.

What it also found is that AI powered chat assistants will reduce the effectiveness of cybersecurity by supplying misleading information to the threat intel which is used for automated cybersecurity response. This could also keep the experts from attending the actual vulnerability that needs to be addressed.