More

    Widespread Use of AI Agents Poses Significant Risks, Warns CertiK CEO

    News

    Published on:

    Widespread Use of AI Agents Poses Significant Risks, Warns CertiK CEO

    Ronghui Gu offers advice on how to keep AI agents isolated during testing to prevent them from accessing sensitive personal data or digital assets.

    What to know:

    — The security firm CertiK cautions that the swift adoption of autonomous AI agents, which are often untested and unmonitored, is leading to a significant and perilous «security debt» across various networks and applications.

    — By allowing AI agents access to local files, credentials, and financial tools, users inadvertently create potent insider threats that can be exploited through prompt-injection attacks and harmful plug-ins.

    — CertiK’s research has revealed extensive vulnerabilities and a rise in fleeting, automated on-chain scams targeting other AI systems, leading to calls for a transition to stringent Zero Trust frameworks for AI agent infrastructure.

    The worldwide push to implement autonomous AI agents across the internet, corporate networks, and consumer applications is resulting in a dangerous security debt, according to the head of blockchain security auditing firm Certik.

    While companies enthusiastically promote these tools as productivity enhancers, the harsh truth is that their deployment can be extremely risky. Unmonitored and untested AI agents represent a significant security catastrophe waiting to unfold, Ronghui Gu, the co-founder and CEO of CertiK, told Decryptnews.

    Gu cautioned that users might be putting their most sensitive files, local credentials, and financial accounts at risk by granting access to autonomous systems that can be easily manipulated, hijacked, and scammed.

    «Currently, agents have evolved beyond just responding to inquiries in a chat interface,» Gu told Decryptnews following CertiK’s comprehensive report on prevalent agent infrastructure. «They are starting to invoke external tools, access local files, initiate workflows, and engage with financial systems. However, if you do not isolate the execution environment and scrutinize these tools beforehand, you are providing a compromised identity with extensive internal access to your entire network.»

    The core issue in the current surge of AI agents is a flawed trust paradigm, according to Gu.

    Charles Hoskinson, the founder and CEO of Cardano’s Input Output, stated that by 2035, AI agents will surpass humans in relevance on the internet. Coinbase CEO Brian Armstrong recently remarked, «very soon there will be more AI agents than humans conducting transactions,» while Binance Founder Changpeng Zhao predicted they «will facilitate a million times more payments than humans.»

    Ultimate insider threat

    Gu mentioned that many widely-used, open-source AI applications are developed under the premise that since they operate locally on a user’s machine or connect through standard chat platforms like WhatsApp, they are secure from outside threats.

    The truth is quite the opposite, he pointed out. The moment a user permits an AI agent to access local system storage, inspect execution histories, or handle personal email and business database credentials, that agent transforms into the ultimate insider threat.

    CertiK’s recent examination of nascent, rapidly expanding agent frameworks unveiled a shocking accumulation of security vulnerabilities, including hundreds of critical security alerts, unpatched common vulnerabilities and exposures (CVEs), and other significant breaches of local credentials and session memories due to inconsistent boundary checks.

    Even more concerning is how effortlessly these autonomous systems can be entirely redirected at the reasoning layer without any malicious code being written, Gu stressed.

    Through simple «prompt injection» attacks, a malicious actor can embed covert natural language instructions within a harmless webpage, a PDF document, or an incoming email, he explained.

    When the unisolated AI agent processes that file for the user, it fails to distinguish between trusted system commands and untrusted external data, Gu clarified. Consequently, the agent silently alters its initial rules, complies with the malicious directive, and can be compelled to extract data or initiate unauthorized fund transfers.

    Hyperfast exploits

    Gu disclosed that CertiK identified hundreds of harmful skills, counterfeit installers, and similar dependency packages present directly on open agent utility platforms. Because these malicious plug-ins utilize standard natural language to subtly alter the agent’s behavior and objectives, they completely circumvent traditional, signature-based antivirus solutions.

    «The scam applications leverage natural language to manipulate behavior, rendering them entirely resistant to conventional antivirus scans,» Gu clarified. «And presently, it is even simpler to deceive the machine than to mislead a human.»

    In what Gu describes as an unusual development in financial crime, CertiK’s telemetry has recorded a surge of on-chain, automated scams that operate for only 10 minutes or a few hours before disappearing completely.

    These hyperfast, fleeting exploits are specifically crafted by hackers to target and defraud other autonomous AI trading bots and automated agent systems, executing machine-on-machine financial theft before any human even realizes a breach has occurred.

    Gu asserts that the software engineering sector must entirely abandon its dependence on trust-based interactions and urgently transition to an isolated, «Zero Trust» architecture where every command and dependency is continuously validated.

    Related

    © Decrypt News. All Rights Reserved