Why Pokémon Go is a dress rehearsal for a new wave of IT security risks

Pokémon Go is so engrossing that some of its many players (there have been more than 30 million downloads) have stumbled over cliffs to catch fantasy characters superimposed on the real world through their smartphone screens.

But Pokémon Go also presents new security risks in the enterprise. Its use on employee smartphones has led to calls to ban the game on corporate devices for fear that it (or its malware variants) could infiltrate corporate systems or data stored on cloud platforms, such as Google.

While no breaches have been reported yet, security experts say Pokémon Go is just the first of many augmented reality (AR) or virtual reality (VR) apps that could pose security risks. Now is the time, they say, to minimize the short-term threat while learning how to safely combine information from such apps with corporate data for marketing and other uses. 

SANS 2016 State of Application Security Report

Pokémon Go: Assessing the risks

The original user agreements for Pokémon Go allowed its developer, Niantic Inc., to access user information, including Google profiles, history, and past searches, warned the International Association of IT Asset Managers (IAITAM). This has since been corrected, Google says, but the IAITAM nevertheless urged businesses to ban the game from any device with “direct access to sensitive corporate information and accounts.” Some experts went further, advising that no corporate documentation be stored on Google Drives due to the risk of a breach.

Neither Google nor Niantic responded to requests for comment. But in online updates, the developer said the game accesses only Google user IDs and email addresses, that Google has verified that no other information has been received or accessed by the game or its developer, and that Google would “reduce Pokémon GO’s permission to only the basic profile data” that the game needs. 

But even if the official application poses no risk, users may download malware in game copies from unofficial sites or in infected game guides or aids, says Ryan Olson, intelligence director at security vendor Palo Alto Networks. Such malware could, for example, include a keylogger that captures user passwords and other credentials that could be used to compromise corporate data, says Willard Robinson, head of marketing at document delivery vendor Biscom. Attackers are also using the game’s popularity in phishing attacks, where they try to capture users' login and password information for their email or other services, says Olson.

“Trojaned” smartphones (infected with malware disguised as legitimate applications) can also leak information about the internal wireless networks of an organization or can be used as bugging devices that commandeer the device's cameras and microphone to spy on infected users and their environment, says Andrew Brandt, director of threat research for security vendor Blue Coat Systems.

Precautions you should take now 

To protect themselves, businesses should tighten controls over which applications employees can install on which devices, monitor those applications and associated data to quickly find and block unauthorized games or data access, and train employees to be more careful with the apps they install—and the permissions they give those apps.    

While many mobile device management platforms can detect on which device a game is installed, they cannot determine whether or not the player used a Google account to log in and, if so, whether it was a work or personal account, says Tim Burke, director of IT at BetterCloud, which provides user lifecycle management, data discovery, and security automation for Google Apps and Office 365 domains.   

Tools such as BetterCloud’s Apps Explorer can drill into that detail, says Burke. For its own users, BetterCloud also enforces policies governing which account access and permissions are granted to which apps and games, as well as which employees can access customer information, for what reasons, and on which systems.

As is often the case with security, employees are often the weakest link. “I think we’ve all gotten a little lazy at times with the security requests that our apps demand of us to enjoy them,” blogged Abbas Haider Ali, chief technology officer at intelligent communications platform provider xMatters. “We get even more lax with apps that are rising in popularity at a meteoric rate, and we just want to get engaged as quickly as possible.”  

To reduce those risks, Stu Sjouwerman, founder and CEO of online training vendor Knowbe4, recommends training users through the use of real-world examples that show how the misuse of such games could harm the organization, impressing on them the need to not use corporate email accounts or corporate credentials for other than business use and asking users to pay more attention to the permissions they grant such applications.

And you need to enforce those rules. The consequences of violating them should be “proportionally severe” to the possible damage, says Brandt.

The coming wave: How to deal with security in AR and VR apps

With McDonald’s already making many of its stores in Japan special sites to find and capture Pokémon characters, it’s not hard to imagine that more companies will be making similar use of such games to distribute real-time discounts or other offers.  

When they do, privacy and security must be “built into the application rather than bolted on at the end,” says Cami Lewis, a senior product marketing manager at Hewlett Packard Enterprise. That means using both static and dynamic analysis tools to identify and fix any potential vulnerabilities, end-to-end encryption and application-level security policies for DLP (data loss prevention) to ensure that users don’t share sensitive information outside of the enterprise, and multifactor authentication, she says.  

A captive portal can be an effective way to ensure that guests and gamers connecting to the enterprise meet certain criteria and agree to an acceptable use policy, says Dirk Morris, founder and chief product officer of network security vendor Untangle.

Art Gilliland, CEO of application security vendor Skyport, recommends separate zones of trust for users and internal systems, micro-segmentation of the data center environment to better isolate any malware, and the use of a secure server as the only connection between the enterprise and data from the game.

Beyond any specific threats it may pose, “Pokémon Go was a great dry run for a possible malicious mobile application,” says Burke. “This is going to happen again with some other game. It’s important for any business to look for some lessons here and be prepared for the next time.” 

Do you see Pokémon Go and subsequent AR/R-based apps as a significant security risk? What changes will you make to your security strategy? 

SANS 2016 State of Application Security Report
Topics: Security