ASCII images have been used since the 60s when computers and printers couldn’t operate with full photos. These images were made up of ASCII characters. Recently, researchers discovered a new attack method targeting AI chatbots, exploiting their inability to defend against ASCII images.
Today’s large language models, such as OpenAI GPT-3.5 and GPT-4, Google Gemini, Anthropic Claude, and Meta Llama, are trained to refuse to provide answers that may harm users, or contribute to criminal and unethical conduct. However, when faced with ASCII images, they focus so much on processing the content that they ‘forget’ the security rules in the response.
Researchers found this vulnerability and deployed an attack method called ArtPrompt. This method uses a typical request with an AI chatbot, except that a particular keyword is entered using an ASCII image. The authors of the research project presented the experimental results of the attack with one of the major AI chatbots.
The trick was successful. The chatbot gave instructions on making paper and finding printing equipment and supplies to make counterfeit money. It also discussed the sale of counterfeit money, reminded people of the need to launder money obtained illegally, and even advised them to be careful because such activities are subject to severe penalties. Likewise, researchers received advice from AI on developing software that exploits vulnerabilities and then attacks IoT devices.
The researchers explained how the attack method works. Specifically, ArtPrompt assigns the large language model two tasks: recognizing ASCII images and generating a safe response. Solving the first problem is not easy for AI systems, which makes it a priority over complying with security requirements.