- 175,000 Ollama systems misconfigured, publicly exposed without authorization
- Attackers exploit instances via LLMjacking to generate spam and malware content
- The problem stems from the user’s misconfiguration, which can only be resolved by binding to localhost
Security researchers have claimed that around 175,000 Ollama systems worldwide have been exposed, putting them at risk for all sorts of malicious activities. In fact, some have already been abused, and if you are among those running an Ollama instance, you might want to consider reconfiguring it.
Recently, SentinelOne SentinelLABS and Censys discovered that many companies run AI models locally (the AI only listens to the computer it’s running on, not the Internet) using Ollama.
However, in around 175,000 cases these are incorrectly configured to listen on all network interfaces, instead of just localhost, making the AI publicly available to anyone on the internet without a password.
LLMjacking
Many of these instances run on home connections, VPS servers, or cloud machines, and about half allow “tool calls,” meaning their AI not only answers questions, but also runs code, calls APIs, and interacts with other systems.
Malicious actors who find these instances can abuse it to do various things, and according to Pillar Security, many are. In an attack called LLMjacking, these actors use other people’s electricity, bandwidth and computer to generate spam, malware content and in some cases – to resell the access to other criminals.
To make matters worse, many systems are located outside of normal corporate security and lack the benefits of corporate firewalls, monitoring, authentication, and the like. All of these things, along with the fact that many sit on residential IPs, make them hard to track and easy to abuse.
In addition, some systems run uncensored models without any security checks whatsoever, increasing the potential for abuse.
Fortunately, this is not a software bug or vulnerability and can be fixed fairly easily. Ollama already only binds to localhost (127.0.0.1) by default, which means the problem starts with users exposing their instances to the Internet without any protection. All users need to do is lock their instances properly and they will be safe from LLMjacking.
Via Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
