A new joint investigation by SentinelOne SentinelLABS, and Censys has revealed that the open-source artificial intelligence (AI) deployment has created a vast “unmanaged, publicly accessible layer of AI compute infrastructure” that spans 175,000 unique Ollama hosts across 130 countries.
These systems, which span both cloud and residential networks across the world, operate outside the guardrails and monitoring systems that platform providers implement by default, the company said. The vast majority of the exposures are located in China, accounting for a little over 30%. The countries with the most infrastructure footprint include the U.S., Germany, France, South Korea, India, Russia, Singapore, Brazil, and the U.K.
“Nearly half of observed hosts are configured with tool-calling capabilities that enable them to execute code, access APIs, and interact with external systems, demonstrating the increasing implementation of LLMs into larger system processes,” researchers Gabriel Bernadett-Shapiro and Silas Cutler added.
Ollama is an open-source framework that allows users to easily download, run, and manage large language models (LLMs) locally on Windows, macOS, and Linux. While the service binds to the localhost address at 127.0.0[.]1:11434 by default, it’s possible to expose it to the public internet by means of a trivial change: configuring it to bind to 0.0.0[.]0 or a public interface.
The fact that Ollama, like the recently popular Moltbot (formerly Clawdbot), is hosted locally and operates outside of the enterprise security perimeter, poses new security concerns. This, in turn, necessitates new approaches to distinguish between managed and unmanaged AI compute, the researchers said.
Of the observed hosts, more than 48% advertise tool-calling capabilities via their API endpoints that, when queried, return metadata highlighting the functionalities they support. Tool calling (or function calling) is a capability that allows LLMs to interact with external systems, APIs, and databases, enabling them to augment their capabilities or retrieve real-time data.
“Tool-calling capabilities fundamentally alter the threat model. A text-generation endpoint can produce harmful content, but a tool-enabled endpoint can execute privileged operations,” the researchers noted. “When combined with insufficient authentication and network exposure, this creates what we assess to be the highest-severity risk in the ecosystem.”
The analysis has also identified hosts supporting various modalities that go beyond text, including reasoning and vision capabilities, with 201 hosts running uncensored prompt templates that remove safety guardrails.
The exposed nature of these systems means they could be susceptible to LLMjacking, where a victim’s LLM infrastructure resources are abused by bad actors to their advantage, while the victim foots the bill. These could range from generating spam emails and disinformation campaigns to cryptocurrency mining and even reselling…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
