As if AI weren’t enough of a security concern, now researchers have discovered that open-source AI deployments may be an even bigger problem than those from commercial providers.
Threat researchers at SentinelLABS teamed up with internet mappers from Censys to take a look at the footprint of Ollama deployments exposed to the internet, and what they found was a global network of largely homogenous, open-source AI deployments just waiting for the right zero-day to come along.
175,108 unique Ollama hosts in 130 countries were found exposed to the public internet, with the vast majority of instances found to be running Llama, Qwen2, and Gemma2 models, most of those relying on the same compression choices and packaging regimes. That, says the pair, suggests open-source AI deployments have become a monoculture ripe for exploitation.
Ollama with standard Gemma2 model open to the Internet. What could go wrong?
I call out this one because the Chinese government has already examined it for exploits and flaws.
Letting it run outside a sandbox on the Internet is tantamount to sharing any information and capabilities it has with the CCP.
Or any number of malfeasants.
I like self hosting, but I won’t do AI.
It’s not an issue if you block it from accessing the Internet.
This applies to a lot of services. Only expose something publicly if the public need to access it, and make sure it’s properly secured. If it’s just for you or your family (or friends) to use, use a peer-to-peer / mesh VPN like Tailscale.
I mean, the article is talking about providing public inbound access, rather than having the software go outbound.
I suspect that in some cases, people just aren’t aware that they are providing access to the world, and it’s unintentional. Or maybe they just don’t know how to set up a VPN or SSH tunnel or some kind of authenticated reverse proxy or something like that, and want to provide public access for remote use from, say, a phone or laptop or something, which is a legit use case.
ollama targets being easy to set up. I do kinda think that there’s an argument that maybe it should try to facilitate configuration for that setup, even though it expands the scope of what they’re doing, since I figure that there are probably a lot of people without a lot of, say, networking familiarity who just want to play with local LLMs setting these up.
EDIT: I do kind of think that there’s a good argument that the consumer router situation plus personal firewall situation is kind of not good today. Like, “I want to have a computer at my house that I want to access remotely via some secure, authenticated mechanism without dicking it up via misconfiguration” is something that people understandably want to do and should be more straightforward.
I mean, we did it with Bluetooth, did a consumer-friendly way to establish secure communication over insecure airwaves. We don’t really have that for accessing hardware remotely via the Internet.
Wait, wait! I saw this one. Terminator 3.
plot spoiler
A novel virus was breaking out all over the world and they had to release Skynet to kill it. Really it was just Skynet tricking the Defense Department into releasing itself into the wild by releasing the firewalls or somesuch.
