MSPs Warned of BYOD Security Threat From Pokémon GO

A design flaw is raising fears about the safety of sensitive data on enterprise and BYOD mobile devices that might be used to play the game.

Aldrin Brown, Editor-in-Chief

July 20, 2016

4 Min Read
MSPs Warned of BYOD Security Threat From Pokmon GO

The maker of the hit mobile video game Pokémon GO says its engineers are working to fix a flaw that grants the company access to all Google files and data of users who play the game on iOS devices.

Players who sign in with their Google accounts must agree to a privacy policy that allows Niantic Inc. access to users’ email, photos, videos, web page viewing data, GPS navigation histories, and all documents contained in Google Drive.

Cybersecurity concerns were heightened even further following reports that a weekend crash of the Pokémon GO servers was the result of multiple hacking attacks.

Niantic and Google, which has a stake in the game developer, said only User IDs and email addresses are being tracked, and denied accessing or collecting any of the more sensitive player data.

“Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access,” Niantec said on its website. “Google has verified that no other information has been received or accessed by Pokémon GO or Niantic.”

BYOD data concerns

The augmented reality game, in which graphics from smartphone cameras are projected in real world locations, became the biggest mobile game in U.S. history last week, with 21 million daily active users, according to a post in SurveyMonkey intelligence blog.

That staggering number is raising questions about whether some of those devices are unprotected enterprise phones or personal BYOD devices that could expose sensitive business data.

The vulnerabilities pose challenges and opportunities for managed services providers (MSPs) and managed security services providers (MSSPs).

“As an MSP, you can use apps like Pokémon GO as an example to show clients and employees the security risks involved with unprotected mobile devices and the growing need for managing these endpoints,” according to a post on Continuum’s MSPblog.

“By leveraging a mobile device management (MDM) solution, you can reduce these risks by remotely wiping an individual’s data if a device is compromised,” the post continues. “An MDM solution will also allow you to implement endpoint security policies and put restrictions on app purchases from non-validated markets.”

Several government agencies have issued advisories regarding the game. One blogger posted an unclassified memo to his Twitter feed entitled “U.S. Government operation security guidance for intelligence officers and friends playing Pokémon GO.”

“Don’t use your personal Gmail account to log in, as this not only links your personal information with your Pokémon GO activity (which includes GPS data), it could also expose your Google credentials to the app owner,” the advisory states.

Instead, players in sensitive government roles are advised to sign into the game using the alternate Pokémon Trainers Club account method or create a “throw-away” Google account just for gameplay.

Hackers target game’s maker

Niantic has offered no timetable for when the flaw might be repaired.

Though the game’s maker has vowed not to misuse the unsecured information, the Pokémon GO privacy policy also grants the company permission to sell the information it obtains from users, share it with third parties or turn it over to law enforcement.

If the personal data and other Google user files were somehow to end up in Niantic’s huge user database, the danger of a catastrophic cybersecurity breach would increase exponentially.

Over the weekend, the Pokémon GO servers suffered a major outage, which Niantic blamed on too many downloads as it expanded the game to 26 new countries.

But two separate hacker groups claimed the outage was a result of distributed denial of service (DDoS) attacks, and vowed that more were being planned in the near future.

PoodleCorp, one of the hacker organizations, said another attack would occur on Aug. 1.

The hacker group OurMine – which previously hacked the social media accounts of Mark Zuckerberg, Sundar Pichai and Jack Dorsey – sent an email to PCMag.com, saying they also attacked the Pokémon GO servers in an effort to help improve security.

“We wrote we will stop the attack if (Niantic) staff talked with us,” the web article states, citing an anonymous OurMine representative, “because we will teach them how to protect their servers.”

 

Send tips and news to [email protected].

Read more about:

MSPsMSP 501

About the Author

Aldrin Brown

Editor-in-Chief, Penton

Veteran journalist Aldrin Brown comes to Penton Technology from Empire Digital Strategies, a business-to-business consulting firm that he founded that provides e-commerce, content and social media solutions to businesses, nonprofits and other organizations seeking to create or grow their digital presence.

Previously, Brown served as the Desert Bureau Chief for City News Service in Southern California and Regional Editor for Patch, AOL's network of local news sites. At Patch, he managed a staff of journalists and more than 30 hyper-local and business news and information websites throughout California. In addition to his work in technology and business, Brown was the city editor for The Sun, a daily newspaper based in San Bernardino, CA; the college sports editor at The Tennessean, Nashville, TN; and an investigative reporter at the Orange County Register, Santa Ana, CA.

 

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like