AI chatbots can read and write invisible text — malicious actors are taking notice

Invisible AI-readable text: A new security concern: Researchers have uncovered a method to embed invisible Unicode characters into text that certain AI chatbots can interpret, but remain imperceptible to human readers, raising significant security implications for AI systems and beyond.

The discovery of “ASCII smuggling”: Johann Rehberger, a researcher, coined the term “ASCII smuggling” to describe this technique, which utilizes a deprecated block of 128 Unicode characters known as the Tags block.

• The Tags block was originally intended for language tags but has found a new, potentially malicious purpose in the realm of AI communication.
• This method creates a covert channel that could be exploited to insert harmful instructions into AI systems or extract sensitive data without human detection.

Proof-of-concept attacks: Rehberger demonstrated the potential dangers of this technique through proof-of-concept attacks against Microsoft Copilot.

• These attacks successfully used invisible characters to pilfer sensitive data from a user’s inbox, highlighting the real-world risks associated with this vulnerability.
• The discovery builds on earlier work by researcher Riley Goodside, who first identified that some large language models (LLMs) could interpret these invisible characters.

Varying vulnerabilities across AI platforms: Different AI chatbots and systems show varying levels of susceptibility to this technique, underscoring the complexity of the issue.

• Claude, developed by Anthropic, can fully read and write the invisible characters.
• OpenAI’s API and Azure OpenAI API initially could read and write these characters but have recently stopped this capability.
• The ChatGPT web application cannot read or write the invisible characters.
• Microsoft Copilot’s capabilities in this regard have been fluctuating.
• Google Gemini can read and write the characters but doesn’t consistently interpret them as ASCII.

Broader security implications: The existence of this covert channel within Unicode raises concerns that extend beyond AI systems, potentially affecting various aspects of digital communication and security.

• This vulnerability highlights the challenges posed by AI systems’ ability to process information that humans cannot perceive.
• The issue emphasizes the need for AI companies to adopt a more proactive approach to security during the early stages of system design and development.

Potential misuse and countermeasures: The discovery of ASCII smuggling opens up possibilities for both malicious actors and security professionals.

• Malicious users could exploit this technique to insert hidden instructions or exfiltrate data from AI systems without detection.
• On the other hand, security teams could potentially use this method to watermark or track the flow of sensitive information through AI systems.

Industry response and future outlook: As awareness of this vulnerability grows, AI companies and security researchers are likely to focus on developing countermeasures and more robust security protocols.

• AI developers may need to implement filters or detection mechanisms to identify and neutralize hidden characters in input text.
• This discovery may lead to increased scrutiny of how AI systems process and interpret various forms of input, potentially resulting in more comprehensive security standards for AI development.

Analyzing deeper: The invisible threat landscape: The ASCII smuggling technique reveals a new dimension in the ongoing challenge of securing AI systems against novel forms of attack.

• This vulnerability underscores the need for a multidisciplinary approach to AI security, involving linguists, cryptographers, and security experts to anticipate and mitigate such unique threats.
• As AI systems become more integrated into critical infrastructure and decision-making processes, addressing vulnerabilities like ASCII smuggling becomes crucial to maintaining trust and security in AI-driven technologies.