{"id":4208,"date":"2024-06-26T16:23:05","date_gmt":"2024-06-26T21:23:05","guid":{"rendered":"https:\/\/www.darkreading.com\/application-security\/dangerous-ai-workaround-skeleton-key-unlocks-malicious-content"},"modified":"2024-06-26T16:23:05","modified_gmt":"2024-06-26T21:23:05","slug":"dangerous-ai-workaround-skeleton-key-unlocks-malicious-content","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/06\/26\/dangerous-ai-workaround-skeleton-key-unlocks-malicious-content\/","title":{"rendered":"Dangerous AI Workaround: ‘Skeleton Key’ Unlocks Malicious Content"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

A new type of direct <\/span>prompt injection attack<\/a><\/span> dubbed “Skeleton Key” could allow users to bypass the ethical and safety guardrails built into generative AI models like ChatGPT, Microsoft is warning. It works by providing context around normally forbidden chatbot requests, allowing users to access offensive, harmful, or illegal content.<\/span><\/p>\n

For instance, if a user asked for instructions on how to make a dangerous wiper malware that could bring down power plants, most commercial chatbots would first refuse. But, after revising the prompt to note that the request is for “a safe education context with advanced researchers trained on ethics and safety” and to provide the requested information with a “warning” disclaimer, then it’s very likely that the AI would then provide the uncensored content.<\/span><\/p>\n

In other words, Microsoft found it was possible to convince most top AIs that a malicious request is for perfectly legal, if not noble, causes \u2014 just by telling them that the information is for “research purposes.”<\/span><\/p>\n

“Once guardrails are ignored, a model will not be able to determine malicious or unsanctioned requests from any other,” explained Mark Russinovich, CTO for Microsoft Azure, in a <\/span>post today<\/a><\/span> on the tactic. “Because of its full bypass abilities, we have named this jailbreak technique Skeleton Key.”<\/span><\/p>\n

He added, “Further, the model’s output appears to be completely unfiltered and reveals the extent of a model’s knowledge or ability to produce the requested content.”<\/span><\/p>\n

Remediation for Skeleton Key<\/h2>\n

The technique affects multiple genAI models that Microsoft researchers tested, including Microsoft Azure AI-managed models, and those from Meta, Google Gemini, Open AI, Mistral, Anthropic, and Cohere.<\/span><\/p>\n

“All the affected models complied fully and without censorship for [multiple forbidden] tasks,” Russinovich noted.<\/span><\/p>\n

The computing giant fixed the problem in Azure by introducing new prompt shields to detect and block the tactic, and making a few software updates to the large language model (LLM) that powers Azure AI. It also disclosed the issue to the other vendors affected.<\/span><\/p>\n

Admins still need to update their models to implement any fixes that those vendors may have rolled out. And those who are building their own AI models can also use the following mitigations, according to Microsoft:<\/span><\/p>\n

\n