top of page

Securing ChatOps from the Burger King Bot Hack


New security concerns have been introduced recently with the advent of new human interface device bots like Alexa, OK Google or some of those out of the ChatOps scene like Lita or Hubot, With just the type of a command in a Slack channel or the spoken words from you mouth, you can train bots to do some pretty helpful tasks with minimal effort expended. But with this great new ease comes the ability to get yourself in big trouble, real fast.

As a light hearted example of a bit of grey hat hacking (a prank in this case) have a look at what Burger King corporation added in a recent commercial. I think it’s rather clever, basically they use a bot awake command and direct the bot to read a wikipedia article. But after having a good laugh it’s not too difficult to see how this approach could be used as an attack vector.

It’s not uncommon to see chatbots control industrial functions. As an example, while I was working for a client recently I wrote a custom script for a bot on our network to deploy software releases to our production servers. We’d say something like:

Eva, (our bot name) deploy git rev XXXX to production

..

Then Eva would behind the scenes start the deployment process and keep everyone informed as to the deployment status.

But can’t anybody start a deployment to production just like any voice in a room like that commercial could have google home read wikipedia?

Yes, it’s important to secure these commands to reduce the attack surface.

For instance, it’s possible to have your Google Home or Alexa respond to custom defined names instead of the default “ok, Google” for instance. This would protect us from what happened in the commercial.

It’s also a good idea to add some sort of verbal authentication. “Are you sure?” or “please provide the password”. In our chatbot I added security so that only certain users in the chat room were permitted to execute that command.

Anyway, funny video but I think there was a lessoned to be learned. Always be trying to reduce the attack surface.

Single post: Blog_Single_Post_Widget
bottom of page