For the first time in history, a team of bug hunters used ChatGPT in a Pwn2Own contest to hack software used in industrial applications and won a cash prize of $20,000.
The edgeAggregator software communicates the interface between OT (Operational Technology) and IT in industrial applications. The security researchers discovered a vulnerability in the OPC Unified Architecture Client (OPC UA) in the edgeAggregator industrial software package. OPC UA is a machine-to-machine communication protocol used in industrial automation.
To test the RCE exploit, the researchers asked ChatGPT to develop an internal module for the OPC UA server. This module must create a malicious server to attack a vulnerable client. The experts admitted that they had to modify the code for the exploitation technique to work and get a workable server module.
ChatGPT provided a useful tool that saved researchers time and allowed them to focus more on implementing the exploit. It also relieved them of the need to learn how to write an internal module. The specialists added that this is how cybercriminals would use ChatGPT in real-life attacks on industrial systems. It is not necessary to know all aspects of a particular target.
The use of ChatGPT in this attack shows how AI can help turn a vulnerability into an exploit if you ask it the right questions and ignore the wrong answers. The experts added that ChatGPT may be unable to write exploits, but it can provide “the last piece of the puzzle necessary for success.”
However, this also highlights the need for stronger cybersecurity measures in industrial systems. Industrial systems are increasingly connected to the internet, making them vulnerable to cyberattacks. Cybercriminals can use vulnerabilities in these systems to gain access to sensitive data, disrupt operations, and cause physical damage.
Therefore, companies must invest in robust cybersecurity measures to protect their industrial systems. This includes regularly updating software and firmware, implementing access control measures, and conducting regular security audits and testing. Companies can also work with security researchers and bug hunters to identify and fix vulnerabilities before they can be exploited.