1M Exposed AI Services Reveal Alarming Security Gaps

A joint research effort by the Security Research Lab (SRL) and the AI Security Initiative (AISI) scanned over one million publicly reachable AI endpoints across IPv4 space between January and March 2024. The team employed a custom crawler, dubbed AIScanner, that probed common AI service ports (5000, 8000, 8080) and sent harmless health‑check payloads to paths such as /v1/models, /predict, /health, and /metadata. By correlating response headers, TLS certificates, and API version strings, the researchers identified 1,024,312 unique AI services, of which 12.4% (≈127,000) were found to lack any authentication mechanism.

The most alarming findings centered on credential management and data exposure. Approximately 8% of the scanned services still used factory‑default API tokens (e.g., "Bearer secret", "X‑Token‑AI‑Default") that were never rotated after deployment. In addition, 5.2% of the instances leaked private model metadata, including training dataset summaries and model version hashes, via unprotected /info endpoints. The SRL team documented that popular open‑source serving frameworks such as TensorFlow Serving (37% of vulnerable hosts) and NVIDIA Triton Inference Server (22%) were the primary culprits, with many installations missing the CVE‑2023‑4123 patch that fixes an arbitrary file read vulnerability discovered last year.

Attackers could exploit these weaknesses for a range of malicious activities. Default tokens allow unauthenticated model inference, enabling adversaries to harvest proprietary algorithms, inject adversarial inputs, or run denial‑of‑service attacks by flooding the endpoint with resource‑intensive batch requests. Moreover, exposing training data snippets can violate GDPR and similar privacy regulations, as demonstrated by a test case where a healthcare‑focused AI service inadvertently disclosed patient identifiers in the model metadata response. In one simulated scenario, the researchers used a misconfigured AI service as a pivot point to traverse an internal Kubernetes cluster, underscoring the potential for supply‑chain escalation.

The research team urges AI operators to adopt a defense‑in‑depth posture: enforce mutual TLS (mTLS) on all inference endpoints, rotate API keys using secrets management platforms, and deploy API gateways that enforce rate‑limiting and role‑based access control. Continuous automated scanning with tools such as AIScanner, combined with regular penetration testing, can catch misconfigurations before they are weaponized. As regulatory frameworks like the EU AI Act tighten security requirements, organizations that fail to address these exposed services risk both data breaches and significant compliance penalties.