Do the Pokémon Go: Information Security in the Physical World

07/12/2016 05:27 pm ET

On July 6, 2016, Augmented Reality made a great leap forward with the release of Pokémon Go, a mobile game that allows players to interact with Pokémon that seem to appear throughout the real world, even going so far as to sell a $35 dollar connected accessory that vibrates when Pokémon are nearby. Additionally, business owners have been able to use the game to develop new business by advertising what Pokémon are available in the shop. Within two days of its release, the game was installed on 5.16% of all Android devices (it was only released in The United States, Australia, and New Zealand), and it will soon have more daily active users than Twitter. Suffice it to say the game is wildly popular.

 While it is great to see that technology companies, consumers, and businesses are beginning to embrace to power of Augmented Reality, the rapid ascension of Pokémon Go has brought to light many of the concerns that cybersecurity experts have been battling for years. Namely, that people do not treat digital consequences the same way they treat real world consequences. Pokémon Go and Augmented Reality offer tremendous insight and concrete examples of why cybersecurity experts have, to date, been fighting a losing battle.

While many are enjoying Pokémon Go, others have already used the game to carry out crimes. For example, a group of teenage robbers in Missouri used the “geolocation feature of the ‘Pokémon Go’ app [. . .] to anticipate the location and level of seclusion of unwitting victims”, according to O’Fallon Police Sergeant Bill Stringer. These teens also used the game’s “lure” feature to attract isolated individuals playing the game to areas that would be densely populated by Pokémon in order to rob them. It is also important to note that people were responding to the lure by going to empty parking lots at 2:00am – a choice some of them would not have otherwise made.

Criminals have not just figured out ways to use the game as a tool for committing crimes, they also have figured out a way to use the massive popularity of the game as a springboard for more sophisticated cyber-attacks. Cyber criminals have created iterations of the game that contain malware, which they make available on third party installation sites. To date an undetermined number of users have been infected by the malware, Droidjack, which has the following capabilities:

  • Copy files from device to computer
  • View all messages on the device
  • Listen to call conversations made on the device
  • List all the contacts on the device
  • Listen live or record audio from the device’s microphone
  • Gain control of the camera on the device
  • Get IMEI number, Wi-Fi MAC address, and cellphone carrier details
  • Get the device’s last GPS location check in and show it in Google Maps

This means that with the simple click of a download icon, a person has functionally compromised their entire identity. A fate that can require years of time and tens of thousands of dollars to remedy.

While people unfortunately get robbed and hacked on a daily basis, Pokémon Go, due to its fast rise and new Augmented Reality foundation, highlights many of the issues that the cybersecurity industry has been struggling with for years, namely the inability of most people to apply their well-developed common sense to technology.

Turning to the robbery example above, it could have only occurred through an Augmented Reality application or game. In any other context, messages like “Stranger Danger” would flash in bright letters in everyone’s mind, and no reasonably cautious person ordinarily would go to a parking lot at 2:00am, to meet people that used a “lure” to get them there. The situation, without Pokémon Go, is ludicrous, but with Pokémon Go, it is likely to be repeated. An application is only as good as its user, and without applying the same common sense practices that are used in the real world to the digitally augmented world, these events will continue to happen. In fact, since Augmented Reality modifies the real world, the better the application, the more diligent the user must be in reminding him or herself of the potential real world dangers that he or she still faces. 

The fun and joy of Pokémon Go is wonderful. But, its popularity also forces us, as a society, to begin confronting the hard questions that Augmented Reality applications have begun to pose as to cybersecurity and privacy issues, as well as negligence claims that are sure to arise from people blindly following Pokémon intro crowded streets.

 

Daniel Garrie would like to thank Benjamin Dynkin and Masha Simonova as contributors. The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or JAMS ADR, or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.

Contact: daniel@lawandforensics.com

CONVERSATIONS