Chatbot Tech Can Be Evil

If you used AOL's Instant Messenger in the early 2000s, you may have encountered SmarterChild. SmarterChild was a registered screenname belonging to a chatterbot. A chatterbot is a computer program designed to simulate intelligent conversation with human beings.

SmarterChild wasn't very smart. It could analyze messages sent to it by users and reply somewhat coherently. More often, it would reply with some variation of "I don't know how to answer that." Despite this, SmarterChild had millions of screennames registered to its buddy list. Before it was shut down, SmarterChild's buddies numbered almost 20 million. Maybe people just wanted to take advantage of SmarterChild's features, which included basic weather forecasts and movie showtimes. Maybe they wanted to talk to the robot because it wouldn't respond judgmentally or angrily, which is more than can be said of most humans. Either way, a lot of people liked SmarterChild.

The program was originally owned by tech company Colloquis, who sold it to Microsoft in 2006. It is possible that either company may have saved SmarterChild's chat transcripts, but neither company displayed evidence of doing anything evil with the information users sent to the bot.

But it's not hard to see how the idea of using a computer program that tries to imitate human response could be used evilly. And chatbot tech, like most kinds of technology and online media, has advanced considerably over the past several years. chatbot tech, like most kinds of technology and online media, has advanced considerably over the past several years. SmarterChild looks like a drooling toddler compared to some of the chatbot tech today.

Researchers at Institut EURECOM in France demonstrated last week how a chatbot could be used to mount large-scale mostly automated social engineering attacks against social networks.

One of their researchers, Engin Kirda, said: "By automatically crawling and correlating the information users store in social networks, we are able to collect detailed personal information about each user, which we use for automated profiling. Having access to such information would allow an attacker to launch sophisticated, targeted attacks or to improve the efficiency of spam campaigns."

Imagine it. A fake username that converses with human users convincingly enough to get them to divulge personal information or click malicious links.

To demonstrate their concern, the French researchers built a bot program that was able to get users to click on malicious links 76% of the time.

The way their tech worked was especially clever. The bot they built basically connects two human users. It forwards messages between a fake account - the bot - and forwards them to a real user, who responds. Because the bot sends messages between two humans, it seems human and therefore relatively trustworthy. The bot can modify the messages it forwards along, send malicious links, and record personal data. It can work with text messages between mobile devices, any chat service -  even one internal to a company - and even an established social networking site like Facebook.

The Institut EURECOM researchers know this because they gave their program a field test on Facebook. It worked. The researchers determined that a site like Facebook would be the most lucrative for an attacker using such tech because of how naive Facebook users are and how much private data they share there.

I have a fake Facebook profile. It was created as a joke. But I find it strange how I can become - at least digitally - a forty-year old overweight burlesque dancer just by creating a Facebook account just by inputting artificial information.

Now the clever researchers at Institut EURECOM have demonstrated that computer programs can also become fictitious people, hijack other users' accounts, and generally wreak havoc throughout a social network.

Welcome to the future. SmarterChild grew up. Our robots may not be smart enough to help with the dishes, but they can be trained to use us against each other in order to steal our identities. Now you can't even trust the fat middle-aged dancer who friend requested you.

Photo credit: ehow