WHY THIS MATTERS IN BRIEF
Human security experts are having trouble keeping up patching the security exploits in their company’s IoT connected products, now they’re turning to artificial intelligence to do it for them.
Last summer the Pentagon, in conjunction with the US Defense Advanced Research Projects Agency (DARPA), staged a Cyber Grand Challenge (CGC) contest in Las Vegas in an attempt to spur research into the idea of using artificial intelligence (AI) to automate some, or all, of the work of security experts. During the CGC twelve high powered AI’s spent 12 hours trying to patch and protect a collection of servers and software, while also trying to identify and exploit vulnerabilities in programs being looked after by their competitors. Now Mayhem, the robo-hacker that won, is putting its hacking skills to work in the real world.
Mayhem was created by security startup ForAllSecure, which was cofounded by Carnegie Mellon University professor David Brumley and two of his PhD students. Brumley says the company’s started adapting Mayhem to be able to automatically find and patch flaws in certain kinds of commercial software – including that of internet and Internet of Things (IoT) devices such as cameras and routers.
Tests are underway with undisclosed partners, including an internet device manufacturer, to see if Mayhem can help companies identify and fix vulnerabilities in their products more quickly and comprehensively than their human equivalents, and for the moment at least the companies are focusing its efforts on helping them identify and patch security holes in older, legacy products – something that today takes huge amount of time, money and resources to accomplish. For example, late last year, hackers used a tool called Mirai to create a massive botnet of compromised IoT devices such as cameras and DVR’s to take down most of the US east coast’s internet.
“Now when machines or devices are compromised it takes days or weeks for someone to notice and then days or weeks, or never, until a patch is put out – such as the hearthbleed bug which infected billions of computers and lay undetected for years” says Brumley, “imagine a world where the first time a hacker exploits a vulnerability he can only exploit one machine and then it’s patched.”
Last year, Brumley published results from feeding almost 2,000 router firmware images through some of the techniques that powered Mayhem. Over 40 percent, representing 89 different products, had at least one vulnerability and Mayhem found 14 previously undiscovered vulnerabilities affecting 69 different software builds.
ForAllSecure is also working with the US Department of Defense (DoD) on ideas for how to put Mayhem to real world use finding and fixing vulnerabilities.
Giovanni Vigna, a professor at the University of California, Santa Barbara, says efforts to make practical use of techniques from the DARPA CGC battle are important, but he says dreams of automated hackers cleaning up all the world’s security vulnerabilities are unrealistic, since humans will still need to check their work. Although – other than from a governance perspective that might not always need to actually be the case, and it’s likely that someone will find a way to automate that using AI too.
“Say you’re a router company. These guys won’t want to deploy a patch that has no quality assurance and could take all their devices offline,” he says.
Vigna led the team whose MechanicalPhish software came in third in the DARPA contest last summer, which has now been released as open source for others to experiment with. Meanwhile, Brumley acknowledges that problem.
“Many people, including in the US government, prefer to have a ‘human in the loop’ rather than letting automated software run the show,” he says, “I’m not against that, but I feel that it slows down the process.”
For now however he’s simply hopeful that as robo-hackers and fixers prove their worth, they will be allowed to work with less human supervision.