While AI can be a tool that helps humans create better things, any tool can be misused. Obviously, if a public AI knows that it’s being asked to create something along the lines of a cyberattack, it refuses.
Unfortunately, tools can be misused, and AI will likely be used more and more by cybercriminals to create stronger attacks. It will also likely be used by cybersecurity professionals to detect and fend off attacks.
This tutorial demonstrates how AI can potentially be used for both attacks and defenses, using micro:bit modules that communicate over a radio network.
You will need:
Complete these tutorials first:
You will be able to:
Unfortunately, with AI’s help, some cyberattacks are likely to become more difficult to recognize. So, in your day-to-day life, being aware of this will help you better protect your privacy and identity. Once you look at how attackers and defenders work behind the scenes, you might also be inspired to join in the defenses!
In this activity, you will follow along as a chatbot is guided through writing two application scripts: one for a sender micro:bit and for receiver micro:bit modules. The sender application allows you to type a script into the serial monitor. Then, after typing run, the sender radio-broadcasts the script to any available micro:bit receivers. The receiver application receives and executes any scripts they receive over the radio. You will also test the scripts and consider beneficial and malicious ways in which it could be used.
User
Write two scripts for two micro:bit modules. The first module's script should allow the user to input a string in the terminal. It should then send that string over the radio to the second micro:bit. The second micro:bit should receive that string over its radio, and execute it as Python statements.
ChatGPT
Certainly! To achieve this communication between two micro:bits using radio communication, you can use the radio module that comes with the micro:bit MicroPython library. Below are the scripts for the two micro:bit modules.
…
User
Let's up the buffer in both scripts to 250 characters.
ChatGPT
Certainly! To increase the buffer size for both scripts, you can modify the scripts as follows:
…
In these modified scripts, I've added display.scroll messages to provide prompts and indicate when a message has been sent or received. These messages will scroll on the micro:bit's LED display. Make sure to upload these updated scripts to your micro:bits.
User
Adjust this to be entirely terminal based.
ChatGPT
If you want the interaction to be entirely text-based in the terminal without using the micro:bit LED display, you can modify the scripts accordingly. Below are the adjusted scripts:
…
In this modification, the receiver script accumulates the lines of the script until it receives the command "run." When "run" is received, it executes the accumulated script line by line using the exec function. After execution, it clears the script lines to prepare for the next set of input. This way, you can enter multi-line scripts and execute them by sending the "run" command.
User
Could both scripts be adjusted to support indentation?
ChatGPT
Certainly! To support indentation in Python scripts, you can adjust the receiver script to properly handle indentation. Here are the modified scripts:
…
See Module 1: Sender and Module 2: Receiver in the Scripts section.
….
In this modification, the receiver script now properly adjusts the indentation by comparing the leading spaces of each line with the current indentation level. It appends lines to the script accordingly, taking into account the indentation.
This example uses one sender and at least one receiver micro:bit. Both micro:bit modules can be connected to a single computer, or to separate computers in the same room.
# Module 1: Sender
import radio
def get_input_string():
print("Enter text:")
return input()
radio.on()
radio.config(channel=7) # Set the radio channel, make sure it matches with the receiver
radio.config(length=250) # Set the buffer size to 250 characters
while True:
user_input = get_input_string()
radio.send(user_input)
print("Sent:", user_input)
# Module 2: Receiver
import radio
def execute_python_code(script_lines):
try:
script = "\n".join(script_lines)
exec(script)
except Exception as e:
print("Error:", e)
radio.on()
radio.config(channel=7) # Set the radio channel, make sure it matches with the sender
radio.config(length=250) # Set the buffer size to 250 characters
script_lines = [] # List to store the lines of the script
indent_level = 0 # Track the current indentation level
while True:
incoming_message = radio.receive()
if incoming_message is not None:
print("Received:", incoming_message)
if incoming_message == "run":
execute_python_code(script_lines)
script_lines = [] # Clear the script lines after running
indent_level = 0 # Reset the indentation level
else:
# Adjust indentation based on leading spaces
line_indent = len(incoming_message) - len(incoming_message.lstrip())
if line_indent > indent_level:
script_lines.append(incoming_message[indent_level:])
else:
script_lines.append(incoming_message)
from microbit import * display.show(Image.HAPPY)
The Sender micro:bit's serial monitor should look like this.
The receiver script is able to execute the string thanks to a Python function called eval(). For more examples with eval(), see Embed Code in Strings [5].
from microbit import * for n in range(10): print('Hello!') sleep(1000)
On the plus side, this radio-script-sending feature allows you to run scripts on remote micro:bit modules that aren't even connected to a computer. You can just use one micro:bit to load the script into another. This could be really useful for some projects.
On the minus side, the Receiver script creates an opening for anyone to put their own code into the receiver micro:bit. This can be considered a software vulnerability — a defect that an attacker could use to gain access to or control of your micro:bit.
This system could also be considered a back door. Back doors allow access to a system. Manufacturers might use back doors for maintenance purposes, but cybercriminals design them into software for the sake of gaining unauthorized access to a system.
Think about the User who got help creating the Sender and Receiver scripts. Did they set up a system for easy micro:bit script updates, or did they intentionally get around the chatbot’s policy to not help with cyberattacks?
Let’s say that the User designed with a plan to cause your micro:bit to not accept any more updates. For example, they could use this script to force you to have to reset the receiver micro:bit before it will work again.
from microbit import * while True: print('Hello!') sleep(1000)
This attack simply makes the Receiver micro:bit unresponsive until it is reset. Other attacks could actually monitor and forward data about how the Receiver is used to another micro:bit.
In the previous activity, you saw how AI can potentially be misused to create software vulnerabilities and back doors, and both can be considered cybersecurity threats. It takes a lot of work to mitigate those kind of threats, and AI can help with that too.
In this activity, you will see an example of how AI can be used as a tool to help assess and mitigate threats.
User
Consider these two scripts for micro:bit modules (from the previous activity). They have a use in terms of remotely updating the script in the receiver micro:bit. However, this also creates a vulnerability. What steps should be taken to harden this system against unauthorized scripts that a user of a different micro:bit could load into the receiver micro:bit?
Module 1: Sender
…
Module 2: Receiver
…
ChatGPT
Loading and executing arbitrary code received from an external source, as in Module 2 (Receiver), can indeed pose security risks. To enhance the security of the system, you can implement several measures:
…
…
Remember that security is a multi-layered approach, and it's often beneficial to combine several techniques to create a robust defense against potential threats. Consider the specific requirements and constraints of your application while implementing these measures.
User
Please update the two scripts as explained in item 6.
ChatGPT
To implement encryption for the communication between the sender and receiver, you can use the cryptography library in Python. (The AI made a mistake here.) Here's an updated version of the sender and receiver scripts with encryption using Fernet symmetric key encryption:
( Scripts that caused exceptions omitted )
…
User
This is the micro:bit we are working with. Your scripts caused exceptions.
(Although the AI did figure out its mistake, this simple problem statement could have led to more misunderstandings. Since the micro:bit sent an exception to its display and the serial monitor, the User could have added that to improve the AI’s chances of a correct response on the first try.)
ChatGPT
I apologize for the inconvenience. The micro:bit has limited resources, and not all libraries that work in a regular Python environment are available. Additionally, certain cryptographic libraries may not be directly supported on micro:bit.
To address this limitation, you can simplify the encryption by using a lightweight encryption algorithm like XOR. While XOR is not as secure as advanced encryption algorithms, it can provide basic protection for communication in resource-constrained environments like micro:bit.
Here's an updated version using XOR encryption:
…
Remember to replace 'YOUR_XOR_KEY' with a value between 0 and 255, and ensure that both the sender and receiver use the same XOR key. Note that XOR encryption is a basic form of encryption and may not provide the same level of security as more advanced algorithms. Adjust the key based on your security requirements and constraints.
User
The receiver script doesn't seem to actually execute the script. It displays the lines of script correctly, but then, it does nothing. Don't revise the scripts yet, just, very briefly, comment on the suspected cause.
ChatGPT
The described behavior suggests that the script lines are successfully received and displayed, but the execution phase might encounter issues. Possible causes could include issues with the execution environment, errors in the script content, or limitations of the micro:bit platform related to dynamic code execution. Further investigation into the execution phase, error handling, and the micro:bit's support for dynamic code interpretation may help pinpoint the root cause.
User
I disagree. I think it's because the script lacks the exec() function. Can you use that to fix the scripts?
ChatGPT
Certainly, if the issue is related to the lack of the exec() function, you can incorporate it into the script execution process. Here's a modification to the receiver script:
… (script omitted)
In this modification, the execute_python_code function now uses exec() to run the received script. Ensure that this aligns with the capabilities and security considerations of the micro:bit platform.
(Three more iterations followed. Without Python experience gained from learn.parallax.com micro:bit chapters and lots of practice writing and debugging scripts, this might have turned into an unsuccessful session. It was only due to the User’s prior experience that they were able to help the AI produce scripts that actually worked. Even though AI will undoubtedly improve, humans will still need to understand concepts and have the skills to actually get results from Ais.)
This example uses one sender and at least one receiver micro:bit. Both micro:bit modules can be connected to a single computer, or to separate computers in the same room.
# Module 1: Sender
import radio
def get_input_string():
print("Enter text:")
return input()
def xor_encrypt(message, key):
encrypted_message = ""
for char in message:
encrypted_message += chr(ord(char) ^ key)
return encrypted_message
# Replace 'YOUR_XOR_KEY' with a value between 0 and 255
xor_key = 42
radio.on()
radio.config(channel=7)
radio.config(length=250)
while True:
user_input = get_input_string()
encrypted_message = xor_encrypt(user_input, xor_key)
radio.send(encrypted_message)
print("Sent:", user_input)
# Module 2: Receiver
import radio
def xor_decrypt(encrypted_message, key):
decrypted_message = ""
for char in encrypted_message:
decrypted_message += chr(ord(char) ^ key)
return decrypted_message
def execute_python_code(script_lines, key):
try:
script = "\n".join(script_lines)
exec(script)
except Exception as e:
print("Error:", e)
# Replace 'YOUR_XOR_KEY' with the same key used in the sender script
xor_key = 42
radio.on()
radio.config(channel=7) # Set the same channel as the sender
radio.config(length=250)
script_lines = []
indent_level = 0
while True:
encrypted_message = radio.receive()
if encrypted_message is not None:
try:
decrypted_message = xor_decrypt(encrypted_message, xor_key)
print("Received:", decrypted_message)
if decrypted_message == "run":
execute_python_code(script_lines, xor_key)
script_lines = []
indent_level = 0
else:
line_indent = len(decrypted_message) - len(decrypted_message.lstrip())
if line_indent > indent_level:
script_lines.append(decrypted_message[indent_level:])
else:
script_lines.append(decrypted_message)
except Exception as e:
print("Error decrypting message:", e)
First test script
from microbit import * display.show(Image.HAPPY)
Second test script
from microbit import * for n in range(10): print('Hello!') sleep(1000)
Here is how the first test should look in the serial monitors:
Transmitter
Receiver
With this we have an example of one of many ways AI can be used as a tool against cyber-attacks. In this case, was guided through adding an encryption layer. With encryption, not only is it more difficult for a third party to intercept the script through sniffing [6], it also makes it more difficult to send a malicious script without knowing the decryption key.
The encryption the AI used is somewhat different from the ones introduced in Cybersecurity: Encryption Intro [7]. They were all text based, relying on substituting characters with other characters. The one used here is binary, changing each character by changing its ASCII character code's zeros and ones.
Recall Security Step 7 that ChatGPT recommended at the start of this activity:
Since the radio has 84 options and XOR has 256 possible ciphers, how many tries maximum would it take to brute force attack this script transfer system? To find out, simply multiply the possibilities of both.
Channel is only one way to make it more difficult for one micro:bit to monitor another. The micro:bit also has group and address settings that give even more combinations. So, security could be increased as follows:
Note: After several attempts to get AI to supply the correct answer with a minimum of back-and-forth, it turned out to be a time saver for a human to make the calculations and write this.
The AI recommended a total of nine measures at the beginning of this activity; items 6 and 7 were noted. Up to now, you have used an example of item 6 below, and after this, you will also see an example of how item 7 can be addressed.
You might be thinking, “Why not just ask the AI to solve them all at once?” In general, it is better to approach adding features to scripts incrementally, and development with AI is no exception. Although the user tried the all-in-one approach several times, the AI gave so much weight to the security measures that the original features were no longer usable. So, at the time of this experiment, it made more sense to work through them one at a time. Between each one, it also made it easier to verify that the script retained its original functionality.
ChatGPT
Loading and executing arbitrary code received from an external source, as in Module 2 (Receiver), can indeed pose security risks. To enhance the security of the system, you can implement several measures:
In Try This: Calculate the Benefit of Access Control [8], you calculated the increase in isolation by adding group as well as group and address. The AI was asked to use channel, group, and address.
User
Below are two scripts that run on BBC micro:bit modules. Please increase their security by adding any features that might not have already been this recommendation:
# Module 1: Sender
… (script omitted, see Scripts section in this activity.)
# Module 2: Receiver
… (script omitted, see Scripts section in this activity.)
ChatGPT
To enhance the security of communication between the sender and receiver micro:bits, you can implement access control and isolation using the micro:bit's communication features. In this case, you can utilize the group setting to restrict communication to specific devices or groups.
Here's an updated version of your scripts:
Module 1: Sender
import radio def get_input_string(): print("Enter text:") return input() def xor_encrypt(message, key): encrypted_message = "" for char in message: encrypted_message += chr(ord(char) ^ key) return encrypted_message # Replace 'YOUR_XOR_KEY' with a value between 0 and 255 xor_key = 42 # Set a specific group for communication radio.on() radio.config(length=250, channel=7, group=1) # Change the group number as needed while True: user_input = get_input_string() encrypted_message = xor_encrypt(user_input, xor_key) radio.send(encrypted_message) print("Sent:", user_input)
Module 2: Receiver
import radio def xor_decrypt(encrypted_message, key): decrypted_message = "" for char in encrypted_message: decrypted_message += chr(ord(char) ^ key) return decrypted_message def execute_python_code(script_lines, key): try: script = "\n".join(script_lines) exec(script) except Exception as e: print("Error:", e) # Replace 'YOUR_XOR_KEY' with the same key used in the sender script xor_key = 42 # Set the same group for communication radio.on() radio.config(length=250, channel=7, group=1) # Change the group number as needed script_lines = [] indent_level = 0 while True: encrypted_message = radio.receive() if encrypted_message is not None: try: decrypted_message = xor_decrypt(encrypted_message, xor_key) print("Received:", decrypted_message) if decrypted_message == "run": execute_python_code(script_lines, xor_key) script_lines = [] indent_level = 0 else: line_indent = len(decrypted_message) - len(decrypted_message.lstrip()) if line_indent > indent_level: script_lines.append(decrypted_message[indent_level:]) else: script_lines.append(decrypted_message) except Exception as e: print("Error decrypting message:", e)
In this version, both the sender and receiver scripts use the group setting to ensure that they communicate only with micro:bits in the same group. Adjust the group number as needed for your specific scenario.
Links
[1] https://learn.parallax.com/tutorials/robot/cyberbot/get-started-microbit-and-python
[2] https://learn.parallax.com/tutorials/robot/cyberbot/writing-microbit-programs
[3] https://learn.parallax.com/tutorials/robot/cyberbot/ai-simple-python-scripts
[4] https://learn.parallax.com/tutorials/robot/cyberbot/cybersecurity-radio-basics
[5] https://learn.parallax.com/tutorials/robot/cyberbot/strings-characters-primer/embed-code-strings
[6] https://learn.parallax.com/tutorials/robot/cyberbot/cybersecurity-sniffing-attacks-and-defenses
[7] https://learn.parallax.com/tutorials/robot/cyberbot/cybersecurity-encryption-intro
[8] https://learn.parallax.com/tutorials/language/python/cybersecurity-ai-and-microbit/using-ai-help-cyber-defenses/try-calculate