Black Hat USA 2025: An Argentine discovers a critical vulnerability in almost all artificial intelligence services.
A team of cybersecurity researchers, made up of one Argentinian and two Israelis, discovered a vulnerability in a key system used by the vast majority of current artificial intelligence services. The flaw was in a tool from Nvidia , the company that makes the chips used to process user queries in applications like ChatGPT, and has since been fixed.
Andrés Riancho, Hillai Ben-Sasson and Ronen Shustin , members of the research team at cybersecurity firm Wiz, presented their research at Black Hat , one of the world's largest hacker conventions, on Wednesday in Las Vegas.
"We discovered that, after exploiting this vulnerability, it was possible to access messages sent between users and artificial intelligence models. These messages, especially those sent by users, may contain sensitive information that we could have read with the access we had," Riancho, the Argentine hacker, explained to Clarín .
Once they found the problem, they reported it to Nvidia , which fixed it to prevent it from being exploited massively by cyberattackers: the vulnerability was critical, as almost all systems use this Nvidia technology.
Nvidia specializes in the design and manufacture of graphics processing units (GPUs) and AI-related technologies. (Photo: Reuters)
"At the conference we gave this Wednesday at Black Hat, we talked about two cloud providers that use this Nvidia technology, but it actually applies to the vast majority of artificial intelligence platforms."
This type of research is conducted under the umbrella of what is known as "offensive security," a branch of cybersecurity that seeks out flaws and vulnerabilities in systems to fix them and make them more secure. The talk, which this media outlet attended, showed the step-by-step process of vulnerability.
"In neither case did we access third-party information: we conducted all of these tests with our own information, in the most responsible manner possible, always working in pairs to audit each step of the research, keeping logs of the commands we executed, etc.," Riancho clarified.
The technical demonstration. Photo: Juan Brodersen
To explain the attack, it's necessary to recall how current consumer generative artificial intelligence systems, such as ChatGPT, Grok, Claude, or Gemini (Google), work .
For artificial intelligence like ChatGPT to work, it requires enormous computational power . That work isn't done by the user's computer, but by cloud servers owned by companies like OpenAI, Google, and Amazon. And on most of those servers, the engine is Nvidia graphics cards, which are now indispensable for running these models.
To manage these resources , containers are used. These containers can be thought of as small virtual boxes that separate the processes of different clients within a single machine. These containers operate using software called Nvidia Container Toolkit, which is key to understanding the vulnerability discovered by the Wiz Research team.
All of this has a system behind it that, on a technical level, is compartmentalized into these containers. Containers (Docker) are used to isolate two different processes running on the same machine. Cloud providers (Amazon, DigitalOcean, Azure, etc.) often use these containers so that one client can't know what processes are running on another user's data.
The attack carried out by Riancho, Ben-Sasson, and Shustin is what is known as "Container Escape," and allows users to escape from that container and view information from another client running on that same machine.
"You can think of a metaphor: if you pay for a hotel room, you shouldn't have access to other rooms . An escape container allows you to enter other rooms, see who's staying there, what they're wearing, and even stay overnight there. That shouldn't happen," says the analyst.
"Anyone who uses AI probably does so on Nvidia hardware, and if these containers are used, they use the 'Nvidia Container Toolkit' (because it's the only option that exists), which acts as a bridge between a container and the hardware. When we identified this problem and knowing that this toolkit is used by 90% of Cloud Service Providers, we had a critical vulnerability that affected the vast majority of AI services on the market," he continues.
In the world of offensive security, analysts typically report vulnerabilities to companies (although that information can also be sold to brokers who buy the vulnerabilities). "Once we detect the vulnerability, we develop the exploit , report it to Nvidia, and when the company releases the patch, we decide to exploit this vulnerability across multiple vendors. We ended up exploiting this vulnerability across more than a dozen of these services, so we chose two to focus on: Replicate and DigitalOcean ."
Since Nvidia Container Toolkit is used in the vast majority of current AI services, the potential impact of the attack was very large and is considered a “Single Point of Failure” (SPOF): if one link goes down, everything goes down.
"From my point of view it was a SPOF, because it affects most Cloud Service Providers, given that the Nvidia Container Toolkit is a widely used technology and the exploit was very simple to implement, once you had the vulnerability: the exploit was a Dockerfile with 7 lines that, in the end, allowed access to the host file system,” Riancho concludes with technical information.
Jensen Huang, CEO of Nvidia, one of the world's most valuable companies. Photo: Reuters
This type of research ultimately sets the tone for the current state of emerging industries like artificial intelligence, which exploded onto the mass consumer market less than three years ago.
"The state of security in artificial intelligence is quite weak, mainly because there is a lot of market pressure to rush and launch new products. These new products are not tested on security-tested infrastructures, and this leads to many of the mistakes that were made in the past and already solved for more mature systems being repeated, now with AI," Riancho reflects.
"I think this is normal; it's part of the development and expansion process of this industry, which is very new. There's a lot to be done in the area of security , although it always lags behind product implementation," he adds.
However, the analyst believes there is a tension that companies cannot ignore. “Companies working with AI should be aware of the tension between creating a new product and ensuring its security . That tension will always exist: sometimes investors aren't that interested in ensuring products are secure (such as protecting customer data, for example), so developers themselves neglect important security issues,” he says.
“As a company implementing these systems, we need to get back to basics, to very specific AI issues that are relevant, but they're a third or fourth step on the priority list: access control, who can see what information, how we use it, where we store it, strong passwords, second-factor authentication . These are all things that often get lost in the AI hype,” he concludes.
For more technical information, the attack they developed can be seen at this link .
Black Hat, a cybersecurity and hacker conference. Photo: Black Hat
Black Hat is one of the most influential cybersecurity conferences in the world. It was founded in 1997 by Jeff Moss, known in the hacking world as "The Dark Tangent." While the main conference is held in the United States, it also has editions in Asia and Europe.
The convention brings together experts from around the world to discuss vulnerabilities, global threats, defense techniques, and groundbreaking findings in cybersecurity. Unlike DEF CON , which was founded in 1993 and maintains a more informal spirit, Black Hat is aimed at the corporate world.
Year after year, researchers from around the world present their discoveries, and Argentines are almost always among the speakers.
Clarin
