As we converse with more chatbots on messaging platforms and IoT devices, we share an increasingly large amount of information with them. But how secure is the private data that we reveal?
In mid-2016, a bot posing as a friend on Facebook hacked 10,000 accounts by tricking users into installing a browser extension that read and changed personal data on websites they visited, including financial accounts.
In this case, a chatbot acquired sensitive user data without our full knowledge, there are cases where we offer up our personal information freely. The AI-driven conversational bots we come to trust and depend on like Amazon’s Alexa and the Google Assistant know a great deal more about us than just our online behavior. Most of us don’t mind this, but these new IoT gadgets are positioned to become always-on digital assistants that will witness a lot of things about us that we might prefer to keep private.
A Wired article explored this emerging reality. Alexa and Google Assistant are activated using a voice prompt, so they need to log clips of your chatter and send these voice recordings to distant servers for processing. Since they’re always in “Listen Mode”, these gadgets can’t help but also hear ambient sounds and conversations, meaning you and your partner’s pillow talk isn’t so private after all. The privacy-compliant algorithms of these systems prevent them from recording or transmitting non-transactional data, but can their parent companies stop sophisticated hackers from gaining unauthorized access?
Hopefully they can and will. But hacking, malware propagation, and other types of cybercrime happen all the time, and are able to wreak havoc even in secure networks such as those used by global banks and secretive intelligence agencies. With loopholes in both global and local networks yet to be closed, cybercrime will inflict data breach damage of around $2.1 trillion by 2019 based on projections by Juniper Research.
According to John Shier, senior advisor at network security company Sophos: “Cyber-criminals use botnets to take over IoT devices and in turn, use these devices to launch other attacks. As there is currently no de facto standard for what constitutes a secure IoT device, consumers need to be discriminating when considering bringing these devices into their homes.”
How Not To Be Bugged By Bots
Bots will become a major component of tomorrow’s digital and always connected world. They’ll be so ubiquitous and accessible that every aspect of our lives can become an open book their algorithms will relentlessly extrapolate. Therefore, we need to set limits and really understand their impact on our personal privacy and security.
Chief scientist John Michener of Casaba Security warned, “All communications with chatbots, or indeed with any and all social networks, should be assumed to be logged in perpetuity and available for arbitrary monitoring / review by private and governmental organizations for the indefinite future. This includes devices such as Amazon’s Alexa.”
To limit your security risks, here are 5 steps recommended by Shier to take with your conversation enabled IoT devices:
- Purchase IoT and smart devices from established, reputable brands. Larger established brands have more strict security protocols and checks.
- Turn on automatic updating. Turning on a device’ or a software’s automatic security updating feature allows the device maker to update the software with protective measures against newly discovered glitches or malware.
- Change passwords immediately if the device allows you to. Do not use the default admin name and password.
- Put the device on its own network if possible. Consider using a dedicated and secured network to minimize the risk of one malware infected device spreading the malware to other devices in your network. Note that this is a slightly more advanced technique.
- Only communicate with the device over secure and authenticated connections. Avoid connecting via unfamiliar networks — especially public or free Wi-Fi — because hackers have been known to use these channels to steal device and personal data.
If you’re extra paranoid, follow these additional steps from the FBI to further lock down your devices. In addition to always being on the lookout for malicious bots, you may also need to be aware of the encryption and security protocols implemented by popular service bots and messaging platforms. Here’s a good reference compiled by senior software engineer and bot developer Barbara Ondrisek on Medium.
Inevitably, bots IoT devices will be an important part of our personal, social and professional lives. Their potential for good has already been demonstrated, and the business case for their use is strong. However, they also expose individuals, organizations and networks to considerable risk. To reduce your exposure, refrain from just automatically clicking links without analyzing the context of how you got the link in the first place. Know your bots and engage only those that pass your security standards.