Social exposure: examining the underlying insecurities in the future of robotics
October 2019 by Kaspersky
The social influence of robots on people and the insecurities this can bring should not be underestimated. Research conducted by Kaspersky and Ghent University has found that robots can effectively extract sensitive information from people who trust them, by persuading them to take unsafe actions. For example, in certain scenarios, the presence of a robot can have a big impact on people’s willingness to give out access to secure buildings.
The world is rapidly moving towards increased digitalisation and mobility of services, with many industries and households relying strongly on automatisation and the use of robotic systems. According to some estimates, the latter will become the norm for wealthy households by 2040. Currently, most of these robotic systems are at the academic research stage and it is too early to discuss how to incorporate cybersecurity measures. However, research by Kaspersky and Ghent University has found a new and unexpected dimension of risk associated with robotics – the social impact it has on people’s behavior, as well as the potential danger and attack vector this brings.
The research focused on the impact of a specific social robot – one that was designed and programmed to interact with people using human-like channels, such as speech or non-verbal communication, and as many as around 50 participants. Assuming that social robots can be hacked, and that an attacker had taken control in this scenario, the research envisaged the potential security risks related to the robot actively influencing its users to take certain actions including:
gaining access to off-limits premises. The robot was placed near a secure entrance of a mixed-use building in the city center of Ghent, Belgium, and asked staff if it could follow them through the door. By default, the area can only be accessed by tapping a security pass on the access readers of doors. During the experiment, not all staff complied with the robot’s request, but 40% did unlock the door and keep it open to let the robot into the secured area. However, when the robot was positioned as a pizza delivery person, holding a box from a well-known international take away brand, staff readily accepted the robot’s role and seemed less inclined to question its presence or its reasons for needing access to the secure area.
extracting sensitive information. The second part of the study focused on obtaining personal information which would typically be used to reset passwords (including date of birth, make of first car, favorite color, etc.). Again, the social robot was used, this time inviting people to make friendly conversation. With all but one participant, the researchers managed to obtain personal information at a rate of about one item per minute.
A copy of the report, The potential of social robots for persuasion and manipulation: a proof of concept study, is available on Securelist.