Skip to Content

Botnets Could Meet Their Match in Robot Hackers

Software called Mayhem that won a $2 million Pentagon hacking prize is being prepared to go to work fixing up the Internet.
February 1, 2017

Last summer the Pentagon staged a contest in Las Vegas in which high-powered computers spent 12 hours trying to hack one another in pursuit of a $2 million purse. Now Mayhem, the software that won, is beginning to put its hacking skills to work in the real world.

Mayhem was created by security startup ForAllSecure, cofounded by Carnegie Mellon professor David Brumley and two of his PhD students. Brumley says the company has started adapting Mayhem to be able to automatically find and patch flaws in certain kinds of commercial software, including that of Internet devices such as routers.

Tests are underway with undisclosed partners, including an Internet device manufacturer, to see if Mayhem can help companies identify and fix vulnerabilities in their products more quickly and comprehensively. The focus is on addressing the challenge of companies needing to devote considerable resources to supporting years of past products with security updates. Late last year, hackers used a massive botnet of compromised Internet devices such as cameras to take down sites including Reddit and Twitter.

“Now when a machine is compromised it takes days or weeks for someone to notice and then days or weeks—or never—until a patch is put out,” says Brumley. “Imagine a world where the first time a hacker exploits a vulnerability he can only exploit one machine and then it's patched.”

Last year, Brumley published results from feeding almost 2,000 router firmware images through some of the techniques that powered Mayhem. Over 40 percent, representing 89 different products, had at least one vulnerability. The software found 14 previously undiscovered vulnerabilities affecting 69 different software builds. ForAllSecure is also working with the Department of Defense on ideas for how to put Mayhem to real world use finding and fixing vulnerabilities.

The Cyber Grand Challenge contest Mayhem won last year was staged by the Pentagon’s Defense Advanced Research Projects Agency, DARPA, in an attempt to spur research on the idea of automating some of the work of security experts. Teams entered software that had to patch and protect a collection of server software, while also identifying and exploiting vulnerabilities in the programs under the stewardship of its competitors. (DARPA has claimed that encouraging development of the technology in the open will tilt it toward being used primarily for defensive, not offensive, purposes.)

Giovanni Vigna, a professor at the University of California, Santa Barbara, says efforts to make practical use of techniques from the DARPA bot battle are important. But he says dreams of automated hackers cleaning up all the world’s security vulnerabilities are unrealistic, since humans will still need to check their work.

“Say you’re a router company. These guys won’t want to deploy a patch that has no quality assurance and could take all their devices offline,” he says. Vigna led the team whose MechanicalPhish software came in third in the DARPA contest last summer. The software has been released as open source for others to experiment with.

Brumley acknowledges that problem. Many people—including in the U.S. government—prefer to have a “human in the loop” rather than letting automated software run the show, he says.

“I'm not against that, but I feel that it slows down the process,” says Brumley. He’s hopeful that as autonomous hackers and fixers prove their worth, they will be allowed to work with less human supervision.

Keep Reading

Most Popular

open sourcing language models concept
open sourcing language models concept

Meta has built a massive new language AI—and it’s giving it away for free

Facebook’s parent company is inviting researchers to pore over and pick apart the flaws in its version of GPT-3

transplant surgery
transplant surgery

The gene-edited pig heart given to a dying patient was infected with a pig virus

The first transplant of a genetically-modified pig heart into a human may have ended prematurely because of a well-known—and avoidable—risk.

Muhammad bin Salman funds anti-aging research
Muhammad bin Salman funds anti-aging research

Saudi Arabia plans to spend $1 billion a year discovering treatments to slow aging

The oil kingdom fears that its population is aging at an accelerated rate and hopes to test drugs to reverse the problem. First up might be the diabetes drug metformin.

Yann LeCun
Yann LeCun

Yann LeCun has a bold new vision for the future of AI

One of the godfathers of deep learning pulls together old ideas to sketch out a fresh path for AI, but raises as many questions as he answers.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.