Chat Bot Security-Is It Secure or A Way For Intruder

Published in

Voice Tech Podcast

5 min readAug 22, 2019

Before the inception of Chat-bot, users had to contact the customer care people for any enquiry regarding their product. This demands human presence all the time for gaining their needs anytime, unlike Chat-bot which is self-operative. This blog will cover the security of Chat-bot, in detail.

What is Chat-Bot?

A Chat-bot is more like an Artificial Intelligence (AI) program which is used to setup a conversation with the end user (human) in a preprogrammed human language through various applications like websites, messengers and mobile apps. Chat-bots are configured to perform the process in an automated way.

In general, a chat-bot is more of a Question-Answer system which helps to resolve end user’s problems by providing necessary information to their questions.

Chat-Bot Security Risks:

As shown in the above image, chat-bots have become the norm for a business organization to manage their customers, right from a simple product enquiry to selling an expensive product to the customers.

Since Chat-Bots deals with inputs from the end user, it is very much essential for the chat-bot program to validate the inputs from user’s end. In a web application, a poor input validation of chat-bot program may lead to some of the security threats like:

Cross Site Scripting (Reflected & Stored)
SQL Injection
XML Injection
LDAP Injection
Remote Code Execution

Apart from these security threats, attackers are coming up with new kinds of vulnerabilities which are specifically targeting the chat-bots. Hackers can exploit a chat-bot and turn it into an evil-bot. Evil bots can be used for various purposes by the attackers like:

Evil Bots can scan the network (Internal and External) to identify chat-bots which are vulnerable to be exploited. This is similar to lateral movement or network pivoting concepts in windows security.
Evil bot can be used for phishing attacks by masquerading as a legitimate bot and asking the end user to sign-up or login with their valid credentials, to start the chat.

Build better voice apps. Get more articles & interviews from voice technology experts at voicetechpodcast.com

An example for evil chat-bot is available online in below link

http://www.alexkigerl.com/troll/

Chat-Bot Security:

The security of chat-bots becomes a major concern for organizations now a days as they had started using the chat-bot technology for various purposes. Chat-bots not only helps the organizations to connect to their customers more easily but also they reduce the use of human customer service options for an organization. Hence, security plays a major role in implementing a chat-bot program in a business environment.

Below are few important ways to enhance the security of chat-bots:

Use of End-to-End (E2E) Encryption is one of the major security enhancement which transfers the data between the user and chat-bot in a secure channel. Because of the implementation of E2E encryption, it will be hard for any other middle man or attacker to tamper the data. If an organization incorporates this feature in their chat-bots, it would become a robust security option for the chat-bot users.
Two Factor Authentication: Two factor authentication or 2FA is another major security option for the chat-bot program. In many of the web applications, chat-bots requires a user to sign up with mobile number or email id to start the chat. It will be secure if the chat-bot requires two factor authentication to verify user’s identity before starting the chat. In this way, chat-bot can verify if the end user is human or some kind of evil bot.
Intent Level Authorization: Intent Level Authorization is implemented with the context of combining two inputs. First the state and second the context of chat. State refers to the chat history (messages) and context means the output of the chat analysis, done on user’s data. Contextual information refers to critical information that the chat-bot should not disclose to end user. In this way, enterprises can block critical data leakage through chat-bot programs.
Self-Destructing Messages: If the chat-bot deals with very much critical information like User’s credentials or financial information like account numbers, credit card pins etc., then the implementation of self-destructing messages will help to increase the chat-bot’s security and mitigate any data breach. This option is more useful if the chat-bot is making digital transactions.
Input-validation: As every chat-bot processes the user’s input to retrieve information or just give a generic reply, it is essential for the chat-bot to validate each and every input from the user’s end. It’s a prime responsibility of the chat-bot developer to validate input with proper implementation of secure coding standards. Below reference link helps for secure coding practices,

https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide

Chat-Bot Security testing tools:

Below are some of the open source tools to identify security and functionality problems in chat-bots:

Botium-Bindings: It is more like a Selenium for Chat-bots to identify functional issues.

https://github.com/codeforequity-at/botium-bindings

Open source Threat Intelligence Chat-Bot : CyBot

https://github.com/CylanceSPEAR/CyBot

Conclusion:

Chat-Bot plays a vital role in managing the customers of an organization. Hence, its security is almost a major concern for every organization. It is always necessary to carry out a security assessment on the chat bot application to prevent threats from cyber space.

How Briskinfosec helps you:

Of-course, chat-bots must take the user inputs. But, the inputs shouldn’t be accepted just like that. The chat-bot must validate them. If malicious inputs are given and if the chat-bot fails to validate them, the consequences are imaginable. Briskinfosec validates the incoming requests and ensures whether they are legal or lethal. If legal, grants permission to enter and if found lethal, thwarts it. This is efficiently done by our wide experience in providing ideal security to many of our clients. With regards validating the incoming requests, we use 3 techniques to block injection attacks, namely:

Escaping
Input validating
Sanitization (detecting if there are unwanted symbols/characters).

Don’t miss this:

People to know about the biggest and latest cyberattacks and its consequences, search here and there to get the right things but end up, unsatisfied. Have you heard of a company offering copious blessing to such people by collecting all the important cyberattacks on a monthly basis, along with the impacts experienced by the companies. Just like honey on a cream, mitigation measures are also provided to alert users on such breaches. Such a report is called as the Threatsploit Adversary Report.

Originally published at https://www.briskinfosec.com.