Chatbot's Security Is At Stake !

Chatbot, commonly known as Artificial Conversational Entity, chatterbot, chatterbox is a bot (automated program) which normally talks with you via auditory or textual methods in form of a conversation in a way that any human would do. Either we or the bot starts the conversation with some similar questions like "Hey Siri, How are you?", would by flying to my hometown on this weekend, can you please find best rates".
As we see, we have advanced from traditional mails to E-mail and to Messaging then now into Interactive and intelligent messaging and that is a Chatbot. It is derived from Artificial Intelligence. Bot a.k.a. personal assistants work on NLP i.e., Natural language Processing.
Why did Chatbots emerge? The idea behind is that we could definitely go and search in on a search engine and it will give you several pages of information, then you have to do your research on your own and then you decide based on your preferences and more clicks to what you initially opted. In contrast, chatbots will give exactly that you are looking for in an interactive way noting down the preferences.

Examples and Purpose

Among the famous chatbots are Windows's Cortana, Apple's Siri, Google's Allo or Google Assistant, Samsung's Bixby, Microsoft Tay and Amazon's Alexa. Listing down few famous bots depending on the purpose; Travel Bots like Instalocate or SkyScanner, Weather Bot like Poncho, Entertainment Bot like IconB, E-commerce bot like chatShopper, News bots like TechCrunch or CNN and Social Bots like Foxsy Facebook Messenger Platform, Telegram Bots, and TwitterBot.
With our few questions we are done with booking a ticket for any movie, football match or concert, ordering a pizza, scheduling medical appointments, booking an uber, a hotel, a flight, and shuttles. Girls would love a shopping bot like eBay Chatbot. Is this not what we look for in a personal assistant? It does what we prefer without failing to remember anything.
Additionally, a Bot can serve for commercial purpose to businesses for customer service, sales, and marketing.


As I said, this is going to act as a personal assistant who has all your schedules, activities, preferences and all other sensitive information about you. So the first question that comes to our mind is that--is the privacy ensured? 
You are almost sharing all details so that your booking gets done just on a conversation, so how do you ensure that my Chatbot does not share any confidential information while working as an assistant?
It might also happen, that you ask some information which is available on internet and bot provides an URL in response and that might lead to some malware.
Via Social Engineering, already your bot is connected to many social engineering apps on your mobile, you already have shared information about your preferences like which book you read, your favorite movie, music you listen frequently, when do you wake up based on the alarm set, when do you sleep, to where do you hire taxis on Friday nights, which place do you often visit on weekend, where you would be flying next month, whom you call frequently. An attacker can have all these information if your bot is tricked. How are you going to distinguish your faithful assistant, by a fake one?
A bot gets intelligent by storing your requests or questions and your answers or responses. That means it stores and records all the data. And if it is recording all these data, then it could be manipulated which is not an uphill struggle for hackers. Once hacked it can be used for extracting the assistant owner's private and confidential information. For business organizations, it will also not deny sharing the business contacts, employee information. What if malware infected Chatbots siphoned financial data, or worse unique identification numbers, from unsuspecting users?

Case studies

There are evil bots reported, like the one in Tinder dating app, where the bot acted as a female user and was targeting the men and leading them to sign up for an online subscription. 
The other famous evil Chabot named Cara (flirty one) for the chat app WeChat, where it was asking to its friends for a favor as transferring 27$.

Conclusion and Steps To Take

As technology advances, so do threats... 
\People sometimes think that bots are stupid and they do not have any power and go ahead and play around, at the same time they do not know that they can be hacked too.
Artificial intelligence and machine learning advancing to chatbots. But as technology advances, cyber security is at stake. We need to have rules while collecting data from the owner of the Chabot. We need to ensure the training process of the Chatbot, in short, we need to regulate and decide the process. We need what to record and what not to. We need to know the channelization of the Chabot, where is it going to be installed on public or private devices. We need to prepare a defensive bot that can defend itself from a criminal one or train the bot so that it is not taken over by the evil bots. We need to double-check on vetting the financial transactions done by a bot. 
Authored By - Sanket Sahoo
TCS Cyber Security
Rate this article: 
Average: 1 (2 votes)
Article category: