- 175,000 Ollama systems misconfigured and publicly exposed without authentication
- Attackers exploit instances using LLMjacking to generate spam and malware content
- The issue is due to incorrect user configuration, which can be fixed by binding only to the localhost
Security researchers have claimed that around 175,000 Ollama systems worldwide are exposed, putting them at risk of all kinds of malicious activities. In fact, it is already being abused by some, and if you are among those running an Ollama instance, you may want to consider reconfiguring it.
Recently, SentinelOne SentinelLABS and Censys discovered that many companies are running AI models locally (the AI only listens to the computer it runs on, not the Internet) using Ollama.
However, in around 175,000 cases, these are misconfigured to listen on all network interfaces, rather than just the local host, making the AI publicly accessible to anyone on the Internet, without a password.
LLMkidnapping
Many of these instances run on home connections, VPS servers, or cloud machines, and about half allow “tool calls,” meaning their AI not only answers questions, but also executes code, calls APIs, and interacts with other systems.
Malicious actors who find these instances can abuse them to do different things, and according to Pillar Security, many do. In an attack called LLMjacking, these actors use other people’s electricity, bandwidth and computing to generate spam, malware content and, in some cases, to resell access to other criminals.
To make matters worse, many systems are located outside of normal enterprise security and lack the benefits of corporate firewalls, monitoring, authentication, and the like. All of these things, along with the fact that many have residential IPs, makes them difficult to track and easy to abuse.
Additionally, some systems run uncensored models without any security checks, increasing the potential for abuse.
Fortunately, this is not a software bug or vulnerability and can be fixed quite easily. Ollama already binds only to localhost (127.0.0.1) by default, which means the problem starts when users expose their instances to the internet without any protection. All users need to do is lock their instances correctly and they will be safe from LLMjacking.
Through Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
