Human security experts are having trouble keeping up patching the security exploits in their company’s IoT connected products, now they’re turning to artificial intelligence to do it for them.


Last summer the Pentagon, in conjunction with the US Defense Advanced Research Projects Agency (DARPA), staged a Cyber Grand Challenge (CGC) contest in Las Vegas in an attempt to spur research into the idea of using artificial intelligence (AI) to automate some, or all, of the work of security experts. During the CGC twelve high powered AI’s spent 12 hours trying to patch and protect a collection of servers and software, while also trying to identify and exploit vulnerabilities in programs being looked after by their competitors. Now Mayhem, the robo-hacker that won, is putting its hacking skills to work in the real world.


California proposes $750 Million water recycling scheme to end its historic drought


Mayhem was created by security startup ForAllSecure, which was cofounded by Carnegie Mellon University professor David Brumley and two of his PhD students. Brumley says the company’s started adapting Mayhem to be able to automatically find and patch flaws in certain kinds of commercial software – including that of internet and Internet of Things (IoT) devices such as cameras and routers.

Tests are underway with undisclosed partners, including an internet device manufacturer, to see if Mayhem can help companies identify and fix vulnerabilities in their products more quickly and comprehensively than their human equivalents, and for the moment at least the companies are focusing its efforts on helping them identify and patch security holes in older, legacy products – something that today takes huge amount of time, money and resources to accomplish. For example, late last year, hackers used a tool called Mirai to create a massive botnet of compromised IoT devices such as cameras and DVR’s to take down most of the US east coast’s internet.

“Now when machines or devices are compromised it takes days or weeks for someone to notice and then days or weeks, or never, until a patch is put out – such as the hearthbleed bug which infected billions of computers and lay undetected for years” says Brumley, “imagine a world where the first time a hacker exploits a vulnerability he can only exploit one machine and then it’s patched.”


3D printed fashion takes over New York Fashion Week


Last year, Brumley published results from feeding almost 2,000 router firmware images through some of the techniques that powered Mayhem. Over 40 percent, representing 89 different products, had at least one vulnerability and Mayhem found 14 previously undiscovered vulnerabilities affecting 69 different software builds.

ForAllSecure is also working with the US Department of Defense (DoD) on ideas for how to put Mayhem to real world use finding and fixing vulnerabilities.

Giovanni Vigna, a professor at the University of California, Santa Barbara, says efforts to make practical use of techniques from the DARPA CGC battle are important, but he says dreams of automated hackers cleaning up all the world’s security vulnerabilities are unrealistic, since humans will still need to check their work. Although – other than from a governance perspective that might not always need to actually be the case, and it’s likely that someone will find a way to automate that using AI too.

“Say you’re a router company. These guys won’t want to deploy a patch that has no quality assurance and could take all their devices offline,” he says.

Vigna led the team whose MechanicalPhish software came in third in the DARPA contest last summer, which has now been released as open source for others to experiment with. Meanwhile, Brumley acknowledges that problem.


Researchers show it's possible to load malware onto switched off phones


“Many people, including in the US government, prefer to have a ‘human in the loop’ rather than letting automated software run the show,” he says, “I’m not against that, but I feel that it slows down the process.”

For now however he’s simply hopeful that as robo-hackers and fixers prove their worth, they will be allowed to work with less human supervision.

About author

Matthew Griffin

Matthew Griffin, described as “The Adviser behind the Advisers” and a “Young Kurzweil,” is the founder and CEO of the World Futures Forum and the 311 Institute, a global Futures and Deep Futures consultancy working between the dates of 2020 to 2070, and is an award winning futurist, and author of “Codex of the Future” series. Regularly featured in the global media, including AP, BBC, Bloomberg, CNBC, Discovery, RT, Viacom, and WIRED, Matthew’s ability to identify, track, and explain the impacts of hundreds of revolutionary emerging technologies on global culture, industry and society, is unparalleled. Recognised for the past six years as one of the world’s foremost futurists, innovation and strategy experts Matthew is an international speaker who helps governments, investors, multi-nationals and regulators around the world envision, build and lead an inclusive, sustainable future. A rare talent Matthew’s recent work includes mentoring Lunar XPrize teams, re-envisioning global education and training with the G20, and helping the world’s largest organisations envision and ideate the future of their products and services, industries, and countries. Matthew's clients include three Prime Ministers and several governments, including the G7, Accenture, Aon, Bain & Co, BCG, Credit Suisse, Dell EMC, Dentons, Deloitte, E&Y, GEMS, Huawei, JPMorgan Chase, KPMG, Lego, McKinsey, PWC, Qualcomm, SAP, Samsung, Sopra Steria, T-Mobile, and many more.