Pokémon Go – Gotta Catch Them All (And Get Your Secrets Too)

Since its official release a few months back, Pokémon Go has exploded in popularity and is now one of the most downloaded mobile applications in history.

So much so that Pokémon Go updates rarely stray from the headlines, with various security-related horror stories reported on a daily basis.

Forensic articles about stored location data that the application uses could be devastating to many; use the app on the way to and from work? You have potentially given a malicious attacker an exact timeline of when you are at work or at home on a usual day, plus the route you walk.

At the very beginning of its partial-release, users were warned again and again to wait for the official release and not to download ‘leaked’ versions that were likely to contain phone malware used to steal credentials, private information, microphones or images.

On Monday afternoon, we encountered a potential security incident of our own. Four seemingly innocent individuals turned up to our head office asking if they could come into the building because the app had alerted them that a rare Pokémon could be found inside our offices.

As a company that handles a lot of confidential information and data we are rightfully very conscious of any potential security breaches, however seemingly innocent the intention is, so we politely declined on this occasion.

Although their intentions were almost certainly innocent, the cynic in me started thinking. Of course, the twist in this tale is there should never really be any need to let someone into a building for someone to catch a Pokémon – the range allowed by the application will allow them to capture it from outside a typical building.

With this in mind I started thinking – what if they weren’t avid Pokémon Go fans willing to stop at nothing to catch a rare Pokémon (even to the extent of knocking on a business premise, disturbing the entire office in order to catch a Vaporeon, Dratini or Charizard) and really they were individuals with the malicious intent to breach the company – either physically or via the network.

The information that could be harnessed after just a few minutes in any offices could be seriously damaging not only to our physical security but also the confidentiality of clients’ data.

Picture this; playing Pokémon Go on their mobile phone as a clever ruse, they could be potentially taking photographs/videos of the office layout, taking note of entry points and access protocol (which doors are locked or have access codes to gain entry). They could be taking photographs of information on employees’ screens which could contain confidential email trails or snippets of our clients’ data. They could be taking a mental note of the equipment we have on site and where our servers are kept should they have the intention of breaking in and stealing valuable property.

Expanding on this even further; if someone knocked on your front door because Pokémon Go ‘told them’ that there was a Pikachu in your living room – would you let them in? I would like to think the answer would be no. You don’t know this person. How do you know that they aren’t scoping out your house with the intention of burgling you, discovering how large the TV is or where the car keys are stored or something even more sinister.

The point is, Pokémon Go potentially spawns a new wave of social engineering techniques that criminals can utilise deliberately to deceive people into opening up one of their primary layers of physical security. In many ways, letting in a Pokémon Go player to catch a Pokémon is no different from the soldiers of Troy pulling the gift of the wooden horse into their high-walled fortress. Modern security is complex, technical and essential – but the fundamentals understood by our ancestors still remain as key lessons; you can’t protect anything without a strong wall surrounding it. Remember: a man’s home is his castle.

Social Engineering has, for the most part, not changed in a number of years. Some of the most well-known techniques such as the Nigerian 419 scam (remember that prince who desperately needed a bank account to deposit the money into?) are still used today via a simple email, but far more advanced techniques exist. Simple techniques such as tailgating through a keypad-locked door at a large company still usually work if you have a coffee cup in each hand (exploiting the trait in all humans to want to help one another and not slam a door in their face), as do more advanced information-driven techniques such as Whaling (posing as an executive and asking an accountant to transfer money) or Spear-Phishing (sending out an email, pretending to be the IT contractors to the executives to install the email attachment that contains a backdoor to the system as it is an essential system upgrade for security purposes).

The key takeaway from this article and our experience is, despite the fact that a lot of people are currently in the throes of this Pokémon Go circus, don’t allow yourself to be distracted and tricked into something that could be potentially damaging to your security.