blog

Paul Vlissidis on the Rise of Deep Fakes

Paul Vlissidis, Technical Director of NCC and Ethical Hacker on Channel 4's Hunted, talks about Managing Cyber Risk in a Fake World and the implications of evolving Artificial Intelligence (AI). Read on for his key points and processes to improve your cybersecurity. 

The Inversion Point

2019 was the year many platforms breached the inversion point. The 'Inversion Point' is the point at which there is more "fake stuff" online than real. For example, about 50% of traffic on YouTube and 50% of users on Twitter are bots masquerading as people. On the wider web, about 60% of traffic is still human, but this figure still demonstrates that we are nearing the 'Inversion Point' here as well. Telling the difference between what is real and what is fake, becomes more difficult with the evolution of 'deepfakes'; deep learning technology used to create convincing visual and audio media in a variety of forms, which is actually all fake.

When are Deep Fakes Okay?

Deepfakes are often seen as deceptive. But are there any scenarios when they are required or used postitively?

'Deepfakes' are generally seen in a negative light, due to their use for spreading fake information and their deceptive nature. However, are there cases where 'deepfakes' can actually be used for good? During our event, we witnessed an AI generated bot use calendar management skills, and human traits and utterances to make a phone call and book a hair appointment on behalf of it's owner. It was suggested that the person taking the phone call was unaware that she was talking to an AI bot, which raises ethical questions in itself, but in this scenario, this automated task is relatively innocent.

But should the AI have to announce that it is not a real person? Or are these mundane tasks harmless? The fact is, AI will increasingly become a part of daily life, and there are still plenty of ethical boundaries and restrictions to be considered, particularly when 'deepfakes' are being used in darker, more dangerous ways, like fraud and politically charged propaganda. What is quite alarming is how realistic this voice AI actually was, speaking with fluidity, tone, and even small  utterances to acknowledge what the other person was saying. Imagine this in a different scenario and the potential damage it could do.

Fakes are nothing new for cyber!

Business email compromises and phishing websites have been a huge issue for businesses for a number of years. Whilst they have never been the most sophisticated threat, they have persisted and have never been solved. So far, with a certain degree of  observation, these phishing scams have been identifiable, however, as AI evolves and becomes more complex, it is likely that these issues will become harder to detect and prevent.

Fake Text & Information

Back in September BBC News reported on the GPT-2, an open source AI package, which could generate fake news stories based on other articles that it would read and learn from. This means that you don't even need a human to write fake stories anymore. Instead you can rely on AI to do all the work for you. This means we will likely see more fake information being distributed, particularly in social and political spaces such as elections and international affairs.

One journalist described the technology as terrifying because it would 'represent the technology used by evil people to manipulate the population', something that will likely be prominent in the US Presidential election this year. More frightening still, is AI's ability to target specific consumers based on their other online activity, posts, and behaviour.

Fake text and information can now be directly targeted at people based on a 'personality profile' generated by AI software which analyses online activity. An example of where this is already a possibility is the open-source 'Watson AI' which can create a 'Personality Portrait' based on people's Tweet history. It provides a personality summary, and then a list of things you like and would therefore engage with, and a list of things you dislike and would therefore ignore. This  means that content can be more easily targeted to you, and it becomes easy for dangerous individuals or bots to strike up a conversation with you, as they can leverage knowledge about what you like and build a relationship based on false common interest.

The threat of fake text and information

A summary of the impacts of fake text and information:

  • Disinformation affects threat intelligence due to confusion over what is real
  • Disinformation being misclassified as real, feeding AI-based systems which then learns from fake information
  • Fake news used as a distraction and diversion as real cyber-attacks take place
  • Malware learning context about a victim, leading to an extended attack via email inbox and email-thread injection
  • AI used to spearhead the phishing of high-profile individuals via fake text

Fake Voice

We have already seen a UK energy firm lose £200k through a fake voice scam. As AI evolves, this threat continues to grow, as voice fraud can engage in 'biometric spoofing' to access personal information. We've learned that some AI software can now clone a human voice using only 5 seconds of audio, and turn it into a full statement or conversation. This software is relatively easy to access and to use, which poses a huge threat to personal, business, and political security.

It is likely that as we near the US election, fake voice technology will play an increasing part in politics as well as personal security. For example, voices of prominent politicians can be cloned and used to make fake offensive statements which, when shared, will alienate voters. Therefore businesses must implement new processes to mitigate voice fraud, like mandating face-to-face interactions for large transactions and having two-person rules for some processes. Effectively, they must find and use more reliable identification methods within critical processes.

Fake Images and Fake Videos

Fake images are a bi-product of two AI's working within a Generative Adversarial Network. One AI produces fake images, and the other checks them against real images to see if the fake images could pass as real ones. In real time, a  completely fake profile picture can be generated using accessible software such as the online tool thispersondoesnotexist.com. They are often extremely realistic and believable, although some may carry minor glitches. Unlike when people steal another person's profile image, a completely fake, AI generated portrait cannot be identified using an image search, because it does not exist elsewhere. 

Some AI generated images will have minor glitches on them, making them identifiable when scrutinised. Otherwise, businesses should look out for other, obviously fake information, such as accounts on LinkedIn saying that they work for the company when they do not. As well as still images, software such as DeepFaceLab can project faces onto existing  videos. Previously we have seen videos of politicians or business-people cropped into compromising videos, but as this  software becomes more sophisticated, the videos will become more realistic. Therefore to those who are not 'cyber-savvy' this could become very dangerous and deceptive. 

The threat of Fake Images and Fake Videos

  • Fraud, especially with real time capability - e.g. plugin for video conferencing like Slack, Zoom or Skype
  • Consider when using video interviewing methods. Are you sure you know who you are hiring?
  • Extortion and manipulation - e.g. projecting somebody's face onto an upsetting or compromising image or video that looks convincing

How to counter this:

  • Software on mobile phones which can verify a videos authenticity using fingerprint technology and giving a score on the likelihood that the video has been tampered with
  • NCC and Alliance of Democracies working on a 'classifier' which will analyse if videos are real or fake

Fake Chats and Chatbots

Chatbots are becoming increasingly popular within businesses for managing customer queries and FAQ's. However, as they become more sophisticated, they also carry risks relating to cyber-security:

  • Used in targeted social engineering (chatphishing), as it is more personable, interactive and lifelike than a static email
  • Used as a diversionary tactic when trying to exploit someone or install something on their computer for a cyber-attack

The Threat of Combined Deepfake Approaches

  • Social Engineering
    • Adds more legitimacy
    • Adds interaction
    • AI can learn from a targets behaviour online
    • AI and Natural Language Processing helps personality trait analytics
    • Potential for full AI automation and campaign execution
  • Blackmail - threat to release fake footage that looks real
  • Potential bio-metric bypass
  • Fraud
  • Impact on Threat Intelligence and actions
  • People with a large online presence are most at risk

What we expected in 2020

2020 will see 'deepfakes' and AI fakery have a growing impact on cyber security, particularly as we reach the next US presidential election. As these technologies become more complex and sophisticated, distinguishing what is real from what is fake, will become increasingly difficult, which means it is critical that we become exceptionally good at verifying data sources and their credibility. Whilst the introduction of regulations and legislation will help to curb abuse and manipulations by corporations and businesses, cyber-criminals who lack ethics and break laws will pay no attention to this. Therefore it is not a 'silver-bullet' solution although it is progress. Effectively, what this could all lead to, is a requirement to completely redesign how we create, store, use, and share data, including improved Root of Trust (RoT) and traceability functions.

What really happened?

We saw a rapid rise in sophisticated phishing which targetted vulnerable people with misinformation about breaking COVID-19 rules, and issuing fines. We also saw a deepfake queen deliver the alternative queens speech on channel 4. We watched as businesses wrestled with the increased cyber threats introduced through remote working and decentralised workers. Whilst Cyber Security became increasingly important in 2020 due to an over reliance on technology to work, communicate, and socialise, we also saw a lot of cyber failures, and succesfful cyber attacks. This showcases the need to continue to do more!

Companies must invest in their cyber infrastructure and functions. To start building and growing your cyber security team, contact Jake Adshead at Maxwell Bond today to start 2021 the right way.