WEBINAR
GigaOm Radar Report for PTaaS: How to Make a Smarter Investment in Pentesting
WEBINAR
GigaOm Radar Report for PTaaS: How to Make a Smarter Investment in Pentesting

The Security Risks of LLM-Powered Chatbots

A large language model (LLM) is a system that draws information from large databases and uses artificial intelligence (AI) to answer questions, create text, imitate human responses, and provide translations. LLM-powered chatbots are a rapidly growing application of AI technology, offering businesses a way to automate customer service and provide low-cost, 24/7 support.

However, while they can revolutionize how businesses interact with their customers, a lack of awareness regarding the security risks associated with this technology can be detrimental. When we take into account the rapid pace at which AI is developing, it’s clear that businesses must take preemptive steps to mitigate these risks.

As with any new technology, threats are constantly changing and new risks arise regularly, so staying on top of industry developments is critical. 

Threat landscape

The current risks associated with LLM chatbots, such as ChatGPT by OpenAI, can be broadly categorized into three areas:

Misinformation and disinformation: LLMs training relies on massive datasets of text and code, much of which could contain biased or inaccurate information. This can result in misleading or false responses, such as incorrect financial advice or rumors spread by conspiracy theorists.

Social engineering attacks: Social engineering attacks take advantage of the trust humans put into the online accounts they interact with. This leaves the door open for attackers to leverage the chatbots' human-like qualities to trick users into sharing sensitive information or clicking on malicious links.

Privacy concerns: LLM-powered chatbots collect and store a significant amount of data from users, including conversation logs and personal information. This data is vulnerable to theft and misuse by hackers, which could lead to privacy violations.

LLM-application specific threats

Excessive Agency and Misguided Actions

In addition to the risks of misinformation and social engineering, LLM-powered chatbots pose a threat due to their potential to enact excessive agency. This can occur when the chatbot learns how to do things it was not programmed nor authorized to do.

Here are some potential problems that can arise from excessive agency:

Unauthorized transactions

A chatbot that hasn’t been properly restricted could be manipulated into conducting financial transactions or altering account details. In instances where an AI chatbot is specifically designed to make transactions, it could mistakenly process a payment using inaccurate details.

Escalation of conflict

Chatbots programmed to be overly responsive or helpful could unintentionally escalate customer frustration. For instance, a chatbot designed to answer basic product inquiries might misinterpret a customer's complaint and engage in a repetitive loop, further angering the user.

Breach of privacy

A chatbot with excessive autonomy could access and share sensitive data that is beyond that which it has been authorized to do so. This could result in personal information being leaked to unauthorized parties or inadvertently storing sensitive data in insecure locations.

How to mitigate risks involved with excessive agency

To prevent these issues, developers should take steps to ensure chatbots are restricted from operating outside of their intended scope.

  • Clearly define goals: Chatbots should be programmed with well-defined goals and limitations. This ensures they stay focused on their intended tasks and avoid unauthorized actions.

  • Multi-factor authentication: For tasks with potential security risks, the implementation of multi-factor authentication helps to ensure unauthorized access is limited. This could involve requiring user confirmation or human oversight before the chatbot completes sensitive actions.

  • User control mechanisms: Provide clear and easy-to-use mechanisms for users to regain control of the chatbot. This could involve offering options to switch to a human agent, cancel ongoing actions, or report any suspicious behavior.

By carefully addressing excessive agency alongside the core security risks, developers can build LLM-powered chatbots that are not only informative and helpful but also operate within safe and controlled boundaries.

Insecure output handling and data exposure

Beyond the previously discussed risks, an additional security concern with LLM-powered chatbots is insecure output handling. This is when a chatbot exposes data that is inappropriate for a discussion intended for human assistance, such as code or encrypted text.

For example, if a user inquires about a company's security practices, an LLM chatbot that isn’t properly configured may reveal sensitive internal information. This could be in error or because a malicious user has intentionally tricked the chatbot into revealing such information.

Injecting malicious code 

Without properly filtered output, a chatbot might be manipulated into generating responses containing malicious code. This could be in the form of SQL injection scripts which can then be used to exploit vulnerabilities in the system.

Unintended script execution

Insecure handling of special characters or formatting instructions within the chatbot's response could lead to unintended script execution on the user's device. One example of this is Cross-Site Scripting (XSS), a trick hackers can use to bypass access controls. 

Exposure of sensitive data 

In certain situations, it's possible for an LLM to unintentionally leak private information that formed part of its training. This could include customer data or internal documents, through its conversational responses.

How to ensure output is secure

To mitigate the above risks, developers should implement security measures related to output handling:

  • Output validation and sanitization: Implement robust validation techniques to ensure the chatbot's responses are free of malicious code, unintended scripts, or sensitive data breaches.

  • Filter responses for context: A chatbot should be designed in a way that ensures its responses are based on the user's role and access level. This helps prevent unauthorized disclosure of sensitive information.

  • Implement security checks: If the chatbot interacts with other systems, ensure adequate protocols are in place to monitor and secure its output. This might involve data encryption or access controls on sensitive information.

By addressing insecure output handling, developers can ensure LLM-powered chatbots provide helpful responses without compromising system security or user privacy.

Mitigating the security risks of LLM-powered chatbots

As with any nascent technology, there are security risks associated with LLM-powered chatbots. However, steps can be taken to reduce these risks. Here are some key strategies:

Data quality and bias detection 

While generative AI may have statistical and logical “intelligence”, it lacks the distinct emotional and moral quirks that make us human. For this reason, it’s essential to parse the data used to train LLMs and filter out data that could lead to problematic responses. This can be done by carefully curating the training data and using techniques to identify and remove bias. It’s also important to secure your training data against any prompt injection attacks.

Security awareness training 

LLM-powered chatbots help to automate responses but will still require some interaction from employees from time to time. They must be trained on the security risks associated with this technology. This will help ensure they can identify suspicious behavior and avoid falling victim to social engineering attacks.

Transparency and user control

Always ensure users are aware that they are interacting with an LLM-powered chatbot and are given the option to speak to a human agent if they prefer. Additionally, users must be allowed to opt out of having their data collected.

Regular security audits

Auditing helps to ensure no security vulnerabilities are present in LLM-powered chatbots. The self-directed and evolving nature of machine-learning software means new threats can arise at any time. Regular auditing helps to identify and address potential problems before they are exploited by attackers.

Conclusion

LLM chatbots have immense potential to transform the customer service experience. Unchecked, however, their potential becomes a serious security hazard. Fortunately, it's possible to mitigate these risks with a few simple security measures that ensure chatbots remain safe and reliable. 

As LLM technology continues to develop, it is important to have an ongoing conversation about the potential risks and benefits of this technology.

Discover the security risks of LLM-powered chatbots and AI applications to learn how our comprehensive offensive security solutions can help protect you. Furthermore, explore how AI will impact cybersecurity.

SANS AI Survey Report 2024 Cover Image

Back to Blog
About Andrew Obadiaru
Andrew Obadiaru is the Chief Information Security Officer at Cobalt. In this role Andrew is responsible for maintaining the confidentiality, integrity, and availability of Cobalt's systems and data. Prior to joining Cobalt, Andrew was the Head of Information Security for BBVA USA Corporate Investment banking, where he oversaw the creation and execution of Cyber Security Strategy. Andrew has 20+ years in the security and technology space, with a history of managing and mitigating risk across changing technologies, software, and diverse platforms. More By Andrew Obadiaru