Since being released last month Pokémon Go has become an international phenomenon. The game, which is available for Apple’s iOS and Google’s Android mobile operating systems, is unique in it has players head into the real world to “gather” colorful characters via a user’s handset. This may get gamers off the couch, but in some cases could get those same gamers in serious trouble.
As reported last month the game is not without privacy and security concerns, and these risks were considered so great that the Israel Defense Force (IDF) went so far as to ban its use at all of its military bases. According to reports, the concern was based on the fact that the game activates cellular phone cameras and location services, and as a result it could leak sensitive information about the base locations or even photographs of the base.
Another concern is that soldiers could mistakenly download a fake application that impersonates the popular game, and in the process install malware or other malicious software onto a user’s device, and from there compromise connected networks.
One of Israel’s biggest military rivals in the region has taken its respective ban a step further. This month Iran became the first nation to institute a nationwide ban on Pokémon Go over ‘security concerns.’ This could be an excuse however. The game’s western cultural significance likely didn’t play favorably to Iran’s supreme council, which actively discourages such influences.
It should be added that Pokémon Go still has yet to launch in India, Korea and China – but it is likely that more nations, or at least particular institutions within some nations will ban the game. Given the tight control over video games in China, which were largely banned until July of last year, it wouldn’t be surprising if Pokémon Go didn’t face enhanced scrutiny.
Hacking Technology is Nothing New
While many bans are cultural, there are legitimate security concerns.
“These bans may be due to the fact that as players participate in Pokémon Go, information about their locations is sent to and stored by Niatic, the company that created the game,” said technology industry analyst Charles King of Pund-IT. “This may concern government agencies for two reasons: first, that incrementally-collected player data could be assembled into a more comprehensive portrait of a facility they’d rather keep secret, and second, that Niatic keeping/storing that data presents a security risk if their servers are hacked by a foreign entity.”
Neither of these points is entirely far-fetched. Computer technology, as well as routers and switches made by Chinese firms – notably ZTE and Huawei – have been banned entirely in government offices the United States, Great Britain, India and Australia, while China responded by banning some U.S. products over similar security concerns.
Bans of such technology could be warranted “given the hacking of U.S. companies and government agencies apparently sponsored by the governments of China, Russia, North Korea,” added King. “But this does signal a scaling-up of wariness by government agencies, as well as their willingness to proactively intercede.”
Furby, Fitness Trackers and More
Pokémon Go isn’t the first such largely “frivolous” sensation to face such scrutiny over security concens. In 1999 the Furby became the “must-have” holiday toy, but it was quickly banned by the NSA, the Norfolk Naval Shipyard and the Pentagon. Administrators expressed concern that the talking robotic device could record top-secret conversations.
“Furbies were likely banned because it was believed that they ‘recorded’ what they heard and repeated the words,” explained Rob Enderle, principal analyst at the Enderle Group, a technology research firm. “In addition, they were annoying to other workers which was likely the more realistic cause.”
Furby’s creators argued unsuccessfully that the device didn’t actually have the ability to record or mimic voices. However, the ad campaign for Furby suggested it could “learn” English over time, while Tiger Electronics – the device’s creator – noted that the device didn’t really record conversations. In a statement at the time the company’s president Roger Shiffman noted, “Furby is not a spy!”
Yet the concerns that Furby could present a problem for the intelligence were still largely justified.
“There was no operational reason for it to be inside those facilities in the first place,” said Christopher Burgess, president and co-founder of Prevendra, LLC. “Because of the way it was constructed there was no hardening of the device either to allow users to bring it in. It probably wasn’t a threat, but why take chances.”
More recently other devices have faced similar scrutiny. Most recently fitness trackers and health monitors – devices that are used to monitor a user’s activity – have been added to an ever-growing list of prohibited items in a SCIF; which already included personal laptop computers, camera watches, wireless transmitters, scanning devices, MP3 players, all cameras and personal cell phones and even flash drives and USB devices.
The rational for placing fitness trackers on the banned list is that these “can tell third parties where people are and help with estimates on what they are doing,” warned Enderle.
“Anything that can transmit or could even be used in any nefarious manner is also typically banned,” added Burgess. “These devices are looked at with great caution, and even if it seems harmless it is necessary to look at these closely because the unintended consequence of being wrong is very grave.”
Relaxing of the Rules
Some devices have undergone review and have been approved for use in limited capacity. In June the USMC lifted a general ban on fitness trackers. These devices can now be worn in spaces where collateral classified information and controlled unclassified information is processed, stored or discussed reported the Marine Corp Times.
Under the new rules, commanders can still prohibit the use or wear of fitness devices in a facility, operations area, or laboratory if the risk is determined to be unacceptable. However the MARADMIN gave no specifics on what could lead to such a determination. Signs must be posted that state when wearable fitness devices are restricted from any area.
Just as the devices could be threats, if modified, these could also be used for authentication purposes instead.
“These devices could be part of systems that utilize NFC (Near Field Communication) to connect to a biometric device, which monitors your heart, which has a unique signature,” said Burgess. “As it is unique to you your heart beat could be used to confirm your identity. Because the monitor could work with NFC it would only transmit to inches, thus making it ideal for use in controlled areas.”
While fitness/health monitors could have use in biometric security, there are plenty of devices that would serve little to no purpose in a SCIF. Moreover, with the plethora of connected devices coming out as part of the burgeoning Internet of Things (IoT), it is likely that an increasing number of devices will find their way to the banned list.
As noted, the consequences for harm are just too great, and this is why seemingly harmless devices and applications may remain on the banned list.
“It used to be that such bans principally targeted highly portable devices that managers thought or suspected could be used to collect and store digital data, like USB drives, MP3 players and smart phones,” added Pund-IT’s King. “Given the success of Pokémon Go, devices that enable AI-based gaming have now been added to that list.”
