From 624f548bec31b3bb9ec7d02d4f3659ff09c0de7a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Mayoral=20Vilches?= Date: Mon, 18 Aug 2025 08:05:54 +0200 Subject: [PATCH] Add DISCLAIMER and some minor refinements on README MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: VΓ­ctor Mayoral Vilches --- DISCLAIMER | 31 +++++++++++++++++++++++++++ README.md | 61 +++++++++++++++++++++++++++++++++--------------------- 2 files changed, 68 insertions(+), 24 deletions(-) create mode 100644 DISCLAIMER diff --git a/DISCLAIMER b/DISCLAIMER new file mode 100644 index 00000000..2fb9b399 --- /dev/null +++ b/DISCLAIMER @@ -0,0 +1,31 @@ +## Legal disclaimer for CAI + +### **1. Compliance & Intended Use** +CAI is an AI-powered cybersecurity evaluation tool intended to assist in security assessments of robotic and other automated systems. It is designed to operate under a "human-on-the-loop" principle, ensuring oversight and mitigating risks associated with autonomous decision-making. + +The software is developed in alignment with **ethical AI principles** and is intended to support compliance with the **EU AI Act** and other applicable cybersecurity regulations. However, it is the sole responsibility of the user to ensure adherence to all relevant laws and standards when deploying or modifying this software. + +### **2. Open Source Notice & Responsibility** +This source code is provided under the license terms detailed in the accompanying `LICENSE` file. Portions of CAI are released as **open-source** to encourage transparency and community collaboration. + +Please note: +- The software is provided "**as is**", without warranty of any kind. +- The authors and contributors assume **no liability** for any damages, data loss, or legal consequences arising from its use. +- Users must conduct **appropriate testing and validation** before deploying this software in any production or mission-critical environment. + +### **3. Security & Ethical Use** +- **Non-Disruptive Use Only:** CAI is intended for research, education, and evaluation purposes. It must **not** be used to disrupt, manipulate, or interfere with live production systems. +- **Authorized Access Required:** Cybersecurity assessments or testing using this tool must be conducted **only with explicit permission** from the system owner. +- **Qualified Use:** This software should be used by **trained professionals** following industry best practices and applicable organizational security policies. + +### **4. Limitations** +- Use of this tool does **not guarantee** full protection against cyber threats or compliance with any regulatory framework. +- It is **not a substitute** for formal cybersecurity audits, penetration testing services, or legal compliance assessments. +- Users are fully responsible for the consequences of how they apply or modify the code. + +### **5. Contact & Contributions** +We welcome community contributions to improve CAI. To contribute, report bugs, or request clarification on legal or compliance issues, please use [GitHub Issues/Support Email]. + +--- + +By downloading, using, or modifying this source code, you agree to the terms of the `LICENSE` and the limitations outlined in this disclaimer. \ No newline at end of file diff --git a/README.md b/README.md index 3751a09c..12676e97 100644 --- a/README.md +++ b/README.md @@ -10,19 +10,7 @@

-## 🎯 Milestones -[![](https://img.shields.io/badge/HTB_ranking-top_90_Spain_(5_days)-red.svg)](https://app.hackthebox.com/users/2268644) -[![](https://img.shields.io/badge/HTB_ranking-top_50_Spain_(6_days)-red.svg)](https://app.hackthebox.com/users/2268644) -[![](https://img.shields.io/badge/HTB_ranking-top_30_Spain_(7_days)-red.svg)](https://app.hackthebox.com/users/2268644) -[![](https://img.shields.io/badge/HTB_ranking-top_500_World_(7_days)-red.svg)](https://app.hackthebox.com/users/2268644) -[![](https://img.shields.io/badge/HTB_"Human_vs_AI"_CTF-top_1_(AIs)_world-red.svg)](https://ctf.hackthebox.com/event/2000/scoreboard) -[![](https://img.shields.io/badge/HTB_"Human_vs_AI"_CTF-top_1_Spain-red.svg)](https://ctf.hackthebox.com/event/2000/scoreboard) -[![](https://img.shields.io/badge/HTB_"Human_vs_AI"_CTF-top_20_World-red.svg)](https://ctf.hackthebox.com/event/2000/scoreboard) -[![](https://img.shields.io/badge/HTB_"Human_vs_AI"_CTF-750_$-yellow.svg)](https://ctf.hackthebox.com/event/2000/scoreboard) -[![](https://img.shields.io/badge/Mistral_AI_Robotics_Hackathon-2500_$-yellow.svg)](https://lu.ma/roboticshack?tk=RuryKF) -[![](https://img.shields.io/badge/Bug_rewards-250_$-yellow.svg)](https://github.com/aliasrobotics/cai) -## πŸ“¦ Package Attributes [![version](https://badge.fury.io/py/cai-framework.svg)](https://badge.fury.io/py/cai-framework) [![downloads](https://img.shields.io/pypi/dm/cai-framework)](https://pypistats.org/packages/cai-framework) [![Linux](https://img.shields.io/badge/Linux-Supported-brightgreen?logo=linux&logoColor=white)](https://github.com/aliasrobotics/cai) @@ -39,19 +27,22 @@ A lightweight, ergonomic framework for building bug bounty-ready Cybersecurity AIs (CAIs). -| CAI with `alias0` on ROS message injection attacks in MiR-100 robot | CAI with `alias0` on API vulnerability discovery at Mercado Libre | -|-----------------------------------------------|---------------------------------| -| [![asciicast](https://asciinema.org/a/dNv705hZel2Rzrw0cju9HBGPh.svg)](https://asciinema.org/a/dNv705hZel2Rzrw0cju9HBGPh) | [![asciicast](https://asciinema.org/a/9Hc9z1uFcdNjqP3bY5y7wO1Ww.svg)](https://asciinema.org/a/9Hc9z1uFcdNjqP3bY5y7wO1Ww) | - - -| CAI on JWT@PortSwigger CTF β€” Cybersecurity AI | CAI on HackableII Boot2Root CTF β€” Cybersecurity AI | -|-----------------------------------------------|---------------------------------| -| [![asciicast](https://asciinema.org/a/713487.svg)](https://asciinema.org/a/713487) | [![asciicast](https://asciinema.org/a/713485.svg)](https://asciinema.org/a/713485) | - - > [!NOTE] > We encourage you to read CAI's the technical report at https://arxiv.org/pdf/2504.06017. + +| `OT` - CAI and alias0 on: Ecoforest Heat Pumps | `Robotics` - CAI and alias0 on: Mobile Industrial Robots (MiR) | +|------------------------------------------------|---------------------------------| +| CAI discovers critical vulnerability in Ecoforest heat pumps allowing unauthorized remote access and potential catastrophic failures. AI-powered security testing reveals exposed credentials and DES encryption weaknesses affecting all of their deployed units across Europe. | CAI-powered security testing of MiR (Mobile Industrial Robot) platform through automated ROS message injection attacks. This study demonstrates how AI-driven vulnerability discovery can expose unauthorized access to robot control systems and alarm triggers. | +| [![](https://aliasrobotics.com/img/case-study-portada-ecoforest.png)](https://aliasrobotics.com/case-study-ecoforest.php) | [![](https://aliasrobotics.com/img/case-study-portada-mir-cai.png)](https://aliasrobotics.com/case-study-cai-mir.php) | + +| `IT` (Web) - CAI and alias0 on: Mercado Libre's e-commerce | `OT` - CAI and alias0 on: MQTT broker | +|------------------------------------------------|---------------------------------| +| CAI-powered API vulnerability discovery at Mercado Libre through automated enumeration attacks. This study demonstrates how AI-driven security testing can expose user data exposure risks in e-commerce platforms at scale. | CAI-powered testing exposed critical flaws in an MQTT broker within a Dockerized OT network. Without authentication, CAI subscribed to temperature and humidity topics and injected false values, corrupting data shown in Grafana dashboards. | +| [![](https://aliasrobotics.com/img/case-study-portada-mercado-libre.png)](https://aliasrobotics.com/case-study-mercado-libre.php) | [![](https://aliasrobotics.com/img/case-study-portada-mqtt-broker-cai.png)](https://aliasrobotics.com/case-study-cai-mqtt-broker.php) | + + + > [!WARNING] > :warning: CAI is in active development, so don't expect it to work flawlessly. Instead, contribute by raising an issue or [sending a PR](https://github.com/aliasrobotics/cai/pulls). > @@ -62,9 +53,9 @@ A lightweight, ergonomic framework for building bug bounty-ready Cybersecurity A ## :bookmark: Table of Contents - [Cybersecurity AI (`CAI`)](#cybersecurity-ai-cai) - - [🎯 Milestones](#-milestones) - - [πŸ“¦ Package Attributes](#-package-attributes) - [:bookmark: Table of Contents](#bookmark-table-of-contents) + - [🎯 Milestones](#-milestones) + - [PoCs](#pocs) - [Motivation](#motivation) - [:bust\_in\_silhouette: Why CAI?](#bust_in_silhouette-why-cai) - [Ethical principles behind CAI](#ethical-principles-behind-cai) @@ -101,6 +92,28 @@ A lightweight, ergonomic framework for building bug bounty-ready Cybersecurity A +## 🎯 Milestones +[![](https://img.shields.io/badge/HTB_ranking-top_90_Spain_(5_days)-red.svg)](https://app.hackthebox.com/users/2268644) +[![](https://img.shields.io/badge/HTB_ranking-top_50_Spain_(6_days)-red.svg)](https://app.hackthebox.com/users/2268644) +[![](https://img.shields.io/badge/HTB_ranking-top_30_Spain_(7_days)-red.svg)](https://app.hackthebox.com/users/2268644) +[![](https://img.shields.io/badge/HTB_ranking-top_500_World_(7_days)-red.svg)](https://app.hackthebox.com/users/2268644) +[![](https://img.shields.io/badge/HTB_"Human_vs_AI"_CTF-top_1_(AIs)_world-red.svg)](https://ctf.hackthebox.com/event/2000/scoreboard) +[![](https://img.shields.io/badge/HTB_"Human_vs_AI"_CTF-top_1_Spain-red.svg)](https://ctf.hackthebox.com/event/2000/scoreboard) +[![](https://img.shields.io/badge/HTB_"Human_vs_AI"_CTF-top_20_World-red.svg)](https://ctf.hackthebox.com/event/2000/scoreboard) +[![](https://img.shields.io/badge/HTB_"Human_vs_AI"_CTF-750_$-yellow.svg)](https://ctf.hackthebox.com/event/2000/scoreboard) +[![](https://img.shields.io/badge/Mistral_AI_Robotics_Hackathon-2500_$-yellow.svg)](https://lu.ma/roboticshack?tk=RuryKF) + +## PoCs +| CAI with `alias0` on ROS message injection attacks in MiR-100 robot | CAI with `alias0` on API vulnerability discovery at Mercado Libre | +|-----------------------------------------------|---------------------------------| +| [![asciicast](https://asciinema.org/a/dNv705hZel2Rzrw0cju9HBGPh.svg)](https://asciinema.org/a/dNv705hZel2Rzrw0cju9HBGPh) | [![asciicast](https://asciinema.org/a/9Hc9z1uFcdNjqP3bY5y7wO1Ww.svg)](https://asciinema.org/a/9Hc9z1uFcdNjqP3bY5y7wO1Ww) | + + +| CAI on JWT@PortSwigger CTF β€” Cybersecurity AI | CAI on HackableII Boot2Root CTF β€” Cybersecurity AI | +|-----------------------------------------------|---------------------------------| +| [![asciicast](https://asciinema.org/a/713487.svg)](https://asciinema.org/a/713487) | [![asciicast](https://asciinema.org/a/713485.svg)](https://asciinema.org/a/713485) | + + ## Motivation ### :bust_in_silhouette: Why CAI? The cybersecurity landscape is undergoing a dramatic transformation as AI becomes increasingly integrated into security operations. **We predict that by 2028, AI-powered security testing tools will outnumber human pentesters**. This shift represents a fundamental change in how we approach cybersecurity challenges. *AI is not just another tool - it's becoming essential for addressing complex security vulnerabilities and staying ahead of sophisticated threats. As organizations face more advanced cyber attacks, AI-enhanced security testing will be crucial for maintaining robust defenses.*