You may have seen in the news recently that a new AI tool called "Mythos" has been made available to various large organsations following the revelation that it had found hundreds of critical security issues in every single one of the systems we use every day (Windows, MacOS, iOS, Chrome and everything else besides). What are the implications of this?
In the short term, there's not too much to worry about due to the limitations that Anthropic (makers of Mythos and the same people behind Claude) have put on it. In only allowing the companies that provide these critical systems access to the tool, they are preventing people with less honest intentions from using it to cause havok before these companies have had time to fix the problems it found. When we talk about "Critical" security issues in systems like this, we're talking hugely significant problems. Unauthorised users gaining full access to your PC / Phone with no intervention needed on your part-type problems.
So this current batch of problems gets fixed, then everything's fine? Well, not exactly. Certainly in terms of these specific issues, the problems will hopefully all be addressed and updates will be provided that prevent those issues from being exploited when the specifics of them become more widely revealed in the future.
However, this highlights a bigger issue in the longer term. As these AI tools become more powerful, the average person is going to have access to something that can perform in a similar way to Mythos, and will require almost no technical knowledge to try and exploit a system - previously the main "defence" many people relied on. There's bugs in pretty much every system ever written, but there's only so many hours in the day, and therefore it tended to be the most popular systems that were targetted as this provided the biggest rewards for an attacker.
The mainstream AI tools do have guardrails that are supposed to stop them being used for nefarious purposes. However, these guardrails can sometimes be circumvented. Additionally, even when they can't, someone with bad intentions could just use a non-mainstream tool, or even run an AI system directly on their own machine that will have no limits in place at all.
The upside is that as developers. we have access to the same tools. We can therefore use the AI to help harden the security of a system much quicker than we could before. However, we're only one part of the equation. To a large extent, the most important bit will be up to you.
Would you like to apply updates?
Yes, updates. We know you hate them. We know you postpone them indefinitely if you're given half the chance. However, it's going to become increasingly critical that you run any and all updates for everything you're prompted to run pretty much as soon as you can. The amount of time between "Problem being patched via an update" and "People trying to exploit that issue" is going to become almost zero as these AI tools evolve. Running updates might be a hassle, but it's infinitely less hassle than having your machine or data compromised. If you're running out-of-date software, it will absolutely become a matter of when rather than if it becomes compromised as the barrier to compromising it becomes lower and lower.
Turn on automatic updates anywhere you can. Also (and this is an important one), check whether you're running any software that is so old that it isn't being updated at all any more. That could be an old operating system (eg Windows 10 or an older version of MacOS on a laptop Apple no longer support). Or it could be old apps like Office 2016. Mobiles in particular are ones to watch out for here, as they tend to just silently stop receiving security updates at some point, and you probably won't be aware of this unless you proactively check this for your phone model. There's no device that will be immune to this problem, and that includes things like routers, TVs and other smart devices. If it's connected to the internet, it's at risk.
It's unlikely this will be an overnight ramping up of security threats. It's more likely to happen increasingly over time as attackers get better at using the new AI tools for this purpose, and those tools get increasingly good at being used for this purposes. However, no reason not to start as you mean to go on and run that pending update right now!