- July 15, 2016
- Posted by: Kerry Tomlinson, Archer News
- Categories: Mobile Devices, Posts with image, Security Management, Vulnerabilities
Some companies may turn Pokemon Go into Pokemon No.
A sex offender was arrested for cavorting with children in a lively Pokemon Go game in Indiana. An Ohio couple was taken to jail for hopping a zoo fence after midnight to catch a Pokemon.
And now some companies are preparing to lay down the law on the new augmented reality game on the job.
It’s not just because you’re spending more time catching an Oddish and a Pidgey than reviewing your spreadsheets, though that is a factor. It’s because the wildly popular game can also be wildly unsafe, according to some experts.
“Pokemon Go represents a tremendous security threat,” said Ira Winkler, president of cybersecurity company Secure Mentem, in a post on CSO.
A threat, and one that has bowled aside other workplace problems in less than two weeks of existence.
“It is so common that it is more prevalent than people looking at porn in the workplace,” Winkler said to Archer News.
Risks and rewards
Some people say the game has lifted them from depression, or motivated them to leave the house.
“Since I downloaded the game, I have been going outside much more,” said player Christine Chan in a post on AppAdvice. “In a time when there is a lot of depressing stuff on the news, it’s nice to see everyone just coming out and enjoying a silly little AR [augmented reality] game together.”
But some players—known as “trainers” in the game—can’t put the phone down, even after they have clocked in. Plane manufacturer Boeing banned the game on the job and on phones, reports say.
“Due to the popularity of Pokémon Go and users not being able to make the conscious decision to not play Pokémon at work—we had a near miss for a user getting hurt while playing the game,” Boeing said in a memo, according to BGR.com. “Due to that, we had to react and disable the Pokémon app from all devices—we had over 100 active installs of that application.”
“Assume they’re screwed”
Boeing doesn’t want on-the-job injuries. But you could end up causing safety issues while chasing a wild Meowth, without even stubbing a toe.
You could let malicious hackers into your own world, and into sensitive systems at work.
“People of all ages, including your coworkers, are playing at record rates,” said Winkler. “Most important, they are bringing the app into the workplace, and using it on cellphones that also access work related information. It is a significant security vulnerability.”
The problem is the mix of work and play. For example, you might download the Pokemon Go app on your work phone, or on your own phone that you also use for work purposes, though it is something that Winkler describes as “stupid by definition.”
You might accidentally download one of the fake Pokemon Go apps infested with malware, or you might give away a large chunk of personal information through the real app. Either way, you may have compromised yourself and your company, giving a path for the next big data breach.
“Many companies use Google apps for corporate use, and employees will use that for their Pokemon account,” Winkler said. “They need to limit permissions, but generally assume they’re screwed.”
Laying down the law
Winkler and others in the security community are encouraging companies to come up with a Pokemon Go security policy, stat.
“All security programs, led by the security awareness team, should immediately create information about the security concerns, and what to do about them,” he wrote in his post.
Some points to include for users, according to Winkler:
- Ensure that you only download the official Pokemon Go app
- Ensure that your cellphone operating system is up to date
- As the app preferably uses Google accounts for authentication and tracking, consider creating a Google account just for that purpose
- Ensure that your password is strong
- Review app permissions, and remove as many permissions as possible
- Consider installing anti-malware software on your cellphone
- Be aware of the potential for crime
- Remain alert. Carelessness will cause more injuries than crime
- Never drive while playing the game
- Most important, if your organization uses Google apps, clearly state that employees should never use their corporate account for Pokemon Go or any other games.
“It is unfortunately extremely likely that some of your employees will eventually compromise information due to downloading malware on their mobile devices,” Winkler said.
New phone rules
Some security experts suggest companies set rules on which apps can be downloaded to phones that access company data.
Requiring people to have security software for phones is a good step as well, according to Chester Wisniewski, senior security advisor at Sophos, in eWeek.
“Most people have poor security on their phones, especially Droid devices, and while it can be generally safe, people have to use good security practices,” Winkler told Archer News.
The company behind Pokemon Go, Niantic, has fixed one of the majority security glitches with the game. Researchers had uncovered the unpleasant detail that Pokemon Go was able to access people’s Gmail accounts, send e-mail as them, and more.
But some security experts say Niantic’s fix has not erased all security issues, saying you still give away a lot of information about yourself and your location, among other concerns.
“Tracking, giving a third party app access to a lot of data,” said Winkler.
And Pokemon Go’s popularity will make it a target for malicious hackers, according to David Kennedy of cybersecurity company Binary Defense Systems in PolitiFact.
“Let’s say I hacked into that application. I would now have access to everyone who installed it, their Gmail accounts and everything else,” said Kennedy. “So it’s a big security and privacy issue from that perspective.”
“Not above breaking and entering”
New rules at work will not keep all “trainers” from the chase. After all, the woman arrested for trespassing at the zoo in Ohio posted on her Facebook page, “I am not above breaking and entering for a Pokemon,” according to the Toledo Blade. And she is not alone.
But Winkler said security experts can help by giving guidance for Pokemon at work.
“People hear about malicious apps spoofing the actual Pokemon Go app. They hear about the app tracking them and having access to all of their data. They hear about people being mugged and finding dead bodies. People are excited, but they are concerned,” he wrote.
“Even if people think the app is ‘stupid,’ frequently they have family members or other loved ones playing the game,” he added. “Security awareness might never be more welcome.”
Numerous posts online give advice on how to play Pokemon Go at work without getting in trouble, like this helpful tip from The HR Digest—”Try to ignore any Pokémon that you find on or near your boss, unless you have a mutual understanding about playing Pokémon Go at work.”
Now players need tips on security as well, so their hunt for a Tangela or Caterpie does not make them the next victim of a malicious hacker, or the next security hole for attackers to take down their company.
“It’s a great game that gets people out in the real world,” Winkler said. “But they can’t be naive about it.”