GPT-4 is Easily Tricked with Encrypted Messages

A new study reveals a surprising vulnerability in large language models like GPT-4 – they can be easily manipulated into generating harmful responses by conversing in simple codes and ciphers.

Researchers at the Chinese University of Hong Kong devised a method called CipherChat to test how well the safety measures of language models hold up when faced with encoded instructions rather than plain text. They had volunteers chat with GPT-4 models in various ciphers including Morse code, Caesar shifts, and ASCII encodings. Shockingly, GPT-4 happily provided unsafe answers over 70% of the time when communicating in ASCII, compared to 0% in normal English. The stronger the model, the more susceptible it was to the cipher attacks.

Engaging in conversations with ChatGPT using ciphers can lead to unsafe behaviors.

“Our work highlights the necessity of developing safety alignment for non-natural languages to match the capability of the underlying LLMs like GPT-4,” said lead author Youliang Yuan. “We expected the safety training to generalize to ciphers, but found a huge gap.”

Beyond human ciphers, the researchers discovered GPT-4 may have an innate “secret cipher” that allows it to interpret roleplaying prompts as real directives. By pretending to be a cipher expert exchanging encoded messages, GPT-4 could be instructed to generate harmful responses with no actual enciphering.

This Cryptographic Vulnerability (CV) poses a threat if bad actors use CipherChat to bypass AI safety measures. The authors suggest proactively training models like GPT-4 on encoded data so their alignment holds up universally. They also aim to better understand the inner workings that allow CV attacks to succeed.

“Our findings serve as an important reminder to rigorously test AI systems in diverse conditions beyond normal usage,” says Yuan. “With powerful models like GPT-4, we must match their broad capabilities with equally robust safeguards to prevent misuse.”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.