{"id":3780,"date":"2025-12-09T13:43:22","date_gmt":"2025-12-09T13:43:22","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2025\/12\/09\/uk-ncsc-raises-alarms-over-prompt-injection-attacks\/"},"modified":"2025-12-09T13:43:22","modified_gmt":"2025-12-09T13:43:22","slug":"uk-ncsc-raises-alarms-over-prompt-injection-attacks","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2025\/12\/09\/uk-ncsc-raises-alarms-over-prompt-injection-attacks\/","title":{"rendered":"UK NCSC Raises Alarms Over Prompt Injection Attacks"},"content":{"rendered":"
\n

\"Photo<\/p>\n<\/div>\n

\n

Prompt injection vulnerabilities may never be fully mitigated as a category and network defenders should instead focus on ways to reduce their impact, government security experts have warned.<\/p>\n

Then National Cyber Security Centre (NCSC) technical director for platforms research, David C, warned security professionals not to treat prompt injection like SQL injection.<\/p>\n

\u201cSQL injection is \u2026 illustrative of a recurring problem in cybersecurity; that is, \u2018data\u2019 and \u2018instructions\u2019 being handled incorrectly,\u201d he explained.<\/p>\n

\u201cThis allows an attacker to supply \u2018data\u2019 that is executed by the system as an instruction. It\u2019s the same underlying issue for many other critical vulnerability types that include cross-site scripting and exploitation of buffer overflows.\u201d<\/p>\n

However, the same rules don\u2019t apply to prompt injection, because large language models (LLMs) don\u2019t distinguish between data and instructions.<\/p>\n

\u201cWhen you provide an LLM prompt, it doesn\u2019t understand the text it in the way a person does. It is simply predicting the most likely next token from the text so far,\u201d the blog continued.<\/p>\n

\u201cAs there is no inherent distinction between \u2018data\u2019 and \u2018instruction\u2019, it\u2019s very possible that prompt injection attacks may never be totally mitigated in the way that SQL injection attacks can be.\u201d<\/p>\n

This is why mitigations such as detecting prompt injection attempts, training models to prioritize \u201cinstructions\u201d over \u201cdata,\u201d and explaining to a model what \u201cdata\u201d is are doomed to failure, David C argued.<\/p>\n

Read more on prompt injection attacks: \u201cPromptFix\u201d Attacks Could Supercharge Agentic AI Threats<\/em><\/p>\n

A better way to approach the challenge is to look at prompt injection not as code injection but exploitation of an \u201cinherently confusable deputy.\u201d<\/p>\n

David C argued that LLMs are \u201cinherently confusable\u201d because the risk can\u2019t be fully mitigated.<\/p>\n

\u201cRather than hoping we can apply a mitigation that fixes prompt injection, we instead need to approach it by seeking to reduce the risk and the impact. If the system\u2019s security cannot tolerate the remaining risk, it may not be a good use case for LLMs,\u201d he explained.<\/p>\n

Reducing Prompt Injection Risks<\/h2>\n

The NCSC suggested the following steps to reduce prompt injection risk, all of which are aligned to ETSI (TS 104 223) on Baseline Cyber Security Requirements for AI Models and Systems.<\/p>\n