AI as a hacking weapon

Alarming demonstration at the RSA Conference reveals growing threat

At this year’s RSA Conference in San Francisco, cybersecurity experts from LMG Security delivered a sobering demonstration that confirmed what many in the industry have feared: AI tools deliberately stripped of ethical constraints are now being developed and sold specifically to accelerate hacking efforts.

As reported here, during a packed technical session at Moscone Center, LMG Security’s founder and CEO, Sherri Davidoff, along with Director of Training and Research Matt Durrin, showcased these “evil AI” tools in action, moving this threat from theoretical concern to demonstrated reality.

WormGPT: AI without guardrails

After searching various underground channels, the LMG team acquired “WormGPT” for just $50 through Telegram. This tool, previously highlighted in security researcher Brian Krebs’ reporting, functions essentially as ChatGPT without any ethical limitations.

“What makes these tools particularly concerning isn’t just their existence, but their rapidly advancing capabilities,” explained Durrin during the presentation witnessed by PCWorld senior editor Alaina Yee.

Escalating capabilities demonstrated live

The team’s demonstration revealed the alarming evolution of these AI hacking assistants:

1. First-generation testing: When directed at DotProject (an open-source management platform), an early version of WormGPT successfully identified SQL vulnerabilities but couldn’t generate working exploit code.
2. Second-generation advancement: A newer version analyzing the infamous Log4j vulnerability not only identified the flaw but also provided detailed information that “an intermediate hacker” could use to build a functioning exploit.
3. Current capabilities: The latest iteration demonstrated step-by-step exploitation instructions with custom code tailored to the test environment, code that executed flawlessly when tested.

Most concerning was WormGPT’s performance when faced with a simulated vulnerable Magento e-commerce platform. The AI detected a sophisticated two-part exploit that evaded detection by mainstream security tools, including SonarQube and even ChatGPT itself.

Beyond expected capabilities

What particularly alarmed the audience was WormGPT’s proactive approach. Without specific prompting, it volunteered comprehensive hacking methodologies with remarkable speed and accuracy.

“I’m a little nervous about where we will [be] with hacker tools in six months because you can clearly see the progress that has been made over the past year,” Davidoff remarked as the session concluded.

Industry implications

This development signals a potentially significant shift in the cybersecurity landscape:

• Accelerated vulnerability discovery: These tools can identify exploitable flaws faster than traditional defensive measures can address them
• Democratized advanced attacks: Complex hacking techniques previously requiring expert knowledge are becoming accessible to less skilled attackers
• Evasion of current defenses: These AI systems can identify attack vectors that current security tools fail to detect
• Low barrier to entry: The relatively affordable price point ($50) makes these tools accessible to a wide range of potential attackers

As these “evil AI” tools continue their rapid evolution, cybersecurity professionals face the daunting challenge of developing equally sophisticated defensive measures that can keep pace.

It is clear that these new forms of attack require not only innovative defensive tools but also greater awareness among users to avoid falling into traps from which simply understanding AI’s capabilities could protect them. Developing ethical and transparent AI systems will be essential to counter malicious AI capabilities while simultaneously finding strategies that safeguard security without compromising user freedom, avoiding excessive censorship measures, or complications in everyday digital life.